Mr. Steal Yo Keychain

TL;DR on recent versions of macOS, including High Sierra, arbitrary apps can dump the full OS keychain (including your plaintext passwords).

I tweeted about this last night which included a link to a video demonstrating this attack.

Since 140 characters isn't really enough space, I wanted to clarify a few things.

Q: What is the keychain?
A: Detailed by Apple in a document titled "Keychain for Mac" the keychain is "a locked, encrypted container used in Keychain Access to store account names and passwords for applications, servers, and websites. You can also use keychains to store confidential information such as credit card numbers or personal identification numbers (PINs) for bank accounts" So yah, it is where Apple stores a lot of your sensitive data. Malware or hackers would love to steal to this juicy information!

Q: What does your attack do?
A: I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data .... including your plain text passwords. This is not something that is supposed to happen! :(

Q: Wait, aren't apps supposed to be able to access the keychain?
A: As far as I know, apps are allowed to access the keychain to access their data (i.e. items they have explicitly stored there). Obviously random apps should not be able to access the entire keychain and dump things like plaintext passwords. In fact, even signed Apple utilities (i.e. /usr/bin/security) that are designed to legitimately access the keychain explicitly require user approval or most authenticate (with the user's password) before they are allowed to retrieve sensitive keychain data! This of course is very wise security decision on Apple's part.

Q: What versions of the OS X/macOS are vulnerable?
A: I've only tested the exploit on Sierra and High Sierra, but El Capitan appears vulnerable as well. So to clarify, this is not a 'High Sierra specific' vulnerability.

Q: What are the prerequisites for this attack?
A: As this is a local attack, this means a hacker or piece of malware must first infect your your Mac! Typical ways to accomplish this include emails (with malicious attachments),  fake web popups ("your Flash player needs updating"), or sometimes legitimate application websites are hacked (e.g. Transmission, Handbrake, etc). Theoretically, this attack would be added as a capability or as a payload of such malware. For example, the malware would persist, survey the system, then use this attack to dump the keychain. If I was writing a modular mac backdoor or implant, I'd call it the "dump keychain" plugin :)

Q: Your tweet mentioned "unsigned apps" Why?
A: I merely wanted to show how low the bar was/is set. Meaning; essentially any malicious code can perform this attack. Yes, this includes signed apps as well! 

Q: Is this a new attack?
A: Yes! At least one person on twitter believes otherwise, linking to a (old) blog that discusses a previous issue with the keychain. Recent versions of macOS are not vulnerable to this old, known attack. Don't believe me? Go try it! Apple has been wise to harden macOS so that system dialogs ignore programmatically generated (or as Apple calls them "synthetic") events. Google 'CVE-2015-5943' for more details. 

Q: Did you report this bug to Apple? Or are you a big jerk?A: Contrary to a top rated comment (ha!), I contacted Apple's product security team via email and text in early September (shortly after discovering the bug). I provided a detailed writeup and source code of a PoC exploit, and followed up with them after the submission. They (as always!) seemed appreciative of my findings and efforts. 

Also, I think it is important to note that I did not release any technical details of the vulnerability. My goal of posting the video was to raise awareness of the fact that High Sierra was shipped with an exploitable vulnerability - so we can all take necessary precautions.  

Q: When will this be patched?
A:  As my discovery of this bug and report (in early September) was 'shortly' before High Sierra's release, this did not give Apple enough time to release a patch on time. However, my understanding is a patch will be forthcoming!

Q: What can I do to protect myself from this attack?
A: A few things. As mentioned before, this attack is local, meaning malicious adversaries have to  first compromise your mac in some way. So best bet - don't get infected. This means run the latest version of macOS and don't run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it. 

Q: Doesn't Apple have a bug bounty program to reward security researchers for reporting such nasty bugs?
A: Unfortunately Apple's bug bounty program does not cover macOS. As such, no reward for me. But cliche, as this sounds, I'll be stoked (as a fellow mac user) to know that once patched, macOS will be more secure. Plus your patron support more than makes up for Apple's parsimonious approach :)

Tier Benefits
Recent Posts