Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
OS X Security Apple

"Extremely Critical" OS X Keychain Vulnerability Steals Passwords Via SMS 123

Mark Wilson writes: Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani — two of the team behind the myki identity management security software — found that a series of terminal commands can be used to extract a range of stored credentials. What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute. Ars reports that this weakness has been exploited for four years.
This discussion has been archived. No new comments can be posted.

"Extremely Critical" OS X Keychain Vulnerability Steals Passwords Via SMS

Comments Filter:
  • by KGIII ( 973947 )

    So who will defend Apple this time or attempt to minimize this or attempt to claim that other OSes are worse so that this is, seemingly, less significant. No OS is secure, it never will be and it only gets worse when you connect it to another device. There will always be security problems.

    Not because I care so much but because I am easily amused...

    • Re: Wait for it... (Score:2, Insightful)

      by Anonymous Coward

      Nobody should defend Apple, because it should require the user to enter the password to open the keychain. Instead of users being trained to blindly click to allow access, Apple let's the application writer approve their own accesses.

      • by KGIII ( 973947 )

        Somebody will if this is like very other thread on the subject. It seems to be a matter of pride. Use the OS that suits the task at hand best for you and practice safe hex. I suspect part of the problem has been the goal of making the computer a device for amusement instead of a computational device as its goal. Aiming for the lowest common denominator can not be a good thing in this field. It just can't be - at least not from my perspective. That's not to say it needs to be overly complex. Maybe it is time

      • by Anonymous Coward

        Actually, this 'bug' *does* require that the user enters a password. It requires that the user enters the *administrator* password to grant the malware app permission to control the computer. That has to happen *before* this attack will work. The attack 'works' because someone has explicitly granted root access to the malware.

    • Re: (Score:3, Funny)

      by cdrudge ( 68377 )

      Apparently this guy will [slashdot.org], saying that no OS is secure, never will be, and there will always be security problems.

    • Re:Wait for it... (Score:5, Insightful)

      by kromozone ( 817261 ) on Wednesday September 02, 2015 @07:36PM (#50447927)

      Watch the video. The SMS is actually an MMS or instant message and he's downloaded a file called "Malicious.app" to the desktop. He then double clicks on that, the dock disappears, and very quickly the "Allow" button is clicked. By default OS X machines come set to allow only Applications from the Mac App Store to run. Most people reduce this security setting to allow applications from "Mac App Store and identified developers" to run. Either way, you'd have to 1) Not notice that this is a .App and not a picture, and 2) Have disabled the default security settings. Otherwise you'd get a big warning saying "You can't open this because of security settings", which would be pretty hard to miss and then you'd have to ignore the warning, change your security settings, re-open the file, not even worry about what the dialog saying "Allow" is and ignore the fact that your dock flashed on and off for no reason.

      I agree that you should be required to enter your password to access the keychain, but this is a guy from Beirut shilling for his password management company. Not only that, he doesn't mention which OS versions are affected or anything else. This could very easily be the NULL-pointer dereference exploit posted last week repackaged in a very clumsy way. If it is, why doesn't he say so? Post the exploit code at least so legitimate researchers can pick it apart.

      If you run around turning off security features and running random .apps from people willy-nilly on your computer, no matter what OS you're running.

      • Re: Wait for it... (Score:2, Informative)

        by Anonymous Coward

        It is only 9 lines of code: http://arstechnica.com/security/2015/09/attacks-accessing-mac-keychain-without-permission-date-back-to-2011/

        Then the app has all the accounts and passwords stored in your keychain.

      • by sribe ( 304414 )

        By default OS X machines come set to allow only Applications from the Mac App Store to run. Most people reduce this security setting to allow applications from "Mac App Store and identified developers" to run.

        The default is to allow applications from Mac App Store and identified developers. But you're right about the rest.

        • by Anonymous Coward

          No, the default is app store only.

          2nd option is the one you said.

          3rd option is allow all apps.

          • No, the default is app store only.

            2nd option is the one you said.

            3rd option is allow all apps.

            But it is important to note that, even on the weakest setting, the User is still required to grant "First Run" privileges. So even if the User has done everything to de-fang GateKeeper, s/he still has to be "complicit" for the Exploit to Run.

            At that point, how much responsibility can be heaped on Apple, versus the User?

      • by fleabay ( 876971 )

        If you run around turning off security features and running random .apps from people willy-nilly on your computer, no matter what OS you're running.

        brain fart?

      • by Malc ( 1751 )

        this is a guy [...] shilling for his password management company

        Thank you. From the tone/writing style of the story, I was wondering whether this was written by a first year CS student or somebody trying to sell something. More clutter adding to the poor SNR on /.

      • by AmiMoJo ( 196126 )

        It's being actively exploited in the wild: http://arstechnica.com/securit... [arstechnica.com]

        The trojan app installs itself by clicking the "allow" button itself, so fast that the user doesn't have time to deny it permission. It installs adware on the user's machine without their consent.

        I'm surprised that Apple didn't use a special type of window for this request. On Windows the UAC requests are done in such a way that this couldn't happen - apps can't grab the window's handle and send simulated clicks.

        The SMS thing is str

        • by Rosyna ( 80334 )

          Apple does use a special type of window that can only be interacted with if a user enters an administrator's username and password.

          It says that's exactly what the user is doing in that Ars article. And UAC won't prevent an application running as SYSTEM from issuing commands that require SYSTEM.

          • by AmiMoJo ( 196126 )

            TFA shows an Applescript script that clicks the "accept" button. That doesn't seem very well protected.

            • The 'researchers' had to specifically and literally disable the default security protections on their machine in order to have that happen.

              Otherwise, it would have popped up a window refusing to run the application at all, instead demanding that you go into System Preferences to allow that specific application.

              It's like cutting the brake lines on a Toyota, then showing a video of it running into something while claiming that the car company has a serious brake design problem. :/

            • by Rosyna ( 80334 )

              Yeah, the AppleScript only works after the user has entered the administrator's username and password to allow it to use accessibility features to control other applications

      • by Rosyna ( 80334 )

        This is a malicious application (not an image) that has been allowed to run after the user dismissed the gatekeeper dialog that warns about downloading applications, after the user entered their password (to allow the malicious application to control other applications) and it's accessing a keychain item with no ACLs? How is that a flaw in Mac OS X?

      • If you run around turning off security features and running random .apps from people willy-nilly on your computer, no matter what OS you're running.

        Exactly.

        I would bet that the people that are on here declaring gloom and doom and "Apple doesn't care about Security", etc. are some of the very same people who will defend Android to the death when a user clicks-through the "Permissions" list when Installing an App, saying that it is the User's responsibility to be vigilant about granting Permissions.

        Guess what? Social Engineering works, and will likely continue to work, on certain people, and it is damn-near impossible to protect all users from themse

    • by Anonymous Coward

      Some of you clowns hate Apple so much, you will believe any unauthenticated negative you read.

      I'm mixed on Apple and not fan, but it is always funny watching the "See! See! Apple is insecure too".

      And then someone smart posts how ridiculous the claim is by explaining the several asterisks of the supposed exploit.

    • Ars will http://arstechnica.com/securit... [arstechnica.com]: "Mac users should remember that the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don't require social engineering and end-user interaction. "
    • by doccus ( 2020662 )

      I have used macs for years but I sure as hell won't defend Apple on this one. FOUR YEARS and they've said NOTHING? Instead, they withhold security updates for any system 3 years or more old. Frankly, I am dead sick and tired of the maroons that blame users for not using the very newest upgrade. Totally aside from the feeling of utter violation incurred from forced upgrades, the fact is that unlike Microsoft, Apple has recently gone out of their way to break applications on every new release, forcing develop

  • by wbr1 ( 2538558 ) on Wednesday September 02, 2015 @07:36PM (#50447931)
    SMS? This is an apple script exploit on a mac PC. not a mobile device. Nowhere does the article explain that SMS is an attack vector and unless iOS is vulnerable as well,I do not see how it could be.
    • Re: (Score:3, Informative)

      Yea I was having a hard time making the SMS connection. TFA speculates that SMS "could" be used to transmit the hijacked passwords:

      It is then possible to intercept a user's password and send it to the attacker via SMS or any other means

      pretty far stretch if you ask me...

      • It is then possible to intercept a user's password and send it to the attacker via IrDA or any other means

        There. Much more relevant.

    • SMS? This is an apple script exploit on a mac PC. not a mobile device. Nowhere does the article explain that SMS is an attack vector and unless iOS is vulnerable as well,I do not see how it could be.

      Actually, if you watch the video, the only thing you can really see is that Malicious App sends a SMS with the password it "stole" - via Twillo obviously: https://www.twilio.com/sms [twilio.com]. But hey, clickbait is clickbait - and it worked. Oh, did it work.

    • SMS? This is an apple script exploit on a mac PC. not a mobile device. Nowhere does the article explain that SMS is an attack vector and unless iOS is vulnerable as well,I do not see how it could be.

      Not to support the obvious shill-article; but I believe that, since OS X 10.10 (Yosemite), Macs have been able to receive/send SMS and MMS messages [apple.com] that are routed through Apple's iMessage service.

      Having said that, I still believe that the amount of disabling of security by the User, and the Granting of Permissions by the User puts this Exploit solidly in the "Yawn" territory.

    • My iPhone is paired with my Mac and the Messages applications on my iPhone and Mac are linked as well. When my phone is near my Mac I do indeed get SMS messages on my Mac, as iMessage and Gtalk, other people probably do the same.

      Doesn't Android do that too with Hangouts or something?

  • by Anonymous Coward on Wednesday September 02, 2015 @07:37PM (#50447933)

    No one is going to get my passwords. They've all been safely keylogged onto Microsoft's ultrasecure telemetry cloud!

    • by t-wata ( 601574 )
      yeah, it is enough secure that only Microsoft can see the data..
  • by nickweller ( 4108905 ) on Wednesday September 02, 2015 @07:39PM (#50447947)
    "as long as a user had already allowed the app running the script to control the Mac .. the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don't require social engineering and end-user interaction." ref [arstechnica.com].
    • by Anonymous Coward

      So just build it into any of the thousands of otherwise useful open source apps out there and wait for people to install it on their own. That approach has worked wonders in the past.

      User: "I wonder how my network is doing. Ooh this cool app will give me a list of hosts on my LAN and also tell me how much bandwidth my computer is using. Cool!" *click*. Done.

  • by Anonymous Coward

    On OS X, this programmatically easier to do, but it's possible with a little more effort in Linux (if using GNOME or KDE and their password stores) and Windows (which is trickiest of all since you specifically deal with an application's store rather than a central one; presumably you'd go for a browser). the The trick is really just getting a user to run the executable in the first place.

    Note that you don't use SMS to attack, just to transmit the data. OS X makes it simple to use SMS, but other systems cou

    • by gl4ss ( 559668 )

      the addition of sms into the article is bizarre. it almost sounds like a bizarre ios tie in to an article that has nothing to do with that.

      oh well, years old flaw.. so yeah, that's what it is.

    • On OS X, this programmatically easier to do, but it's possible with a little more effort in Linux (if using GNOME or KDE and their password stores) and Windows (which is trickiest of all since you specifically deal with an application's store rather than a central one; presumably you'd go for a browser)

      On Windows - unlike on OS X and Linux - there is the concept of User Interface Privilege Isolation (UIPI) where a process running with a higher integrity level cannot be remote controlled by a lower-integrity process.

      The real vulnerability here is NOT whether the user has allowed the process to run or not or whether it came through the app store nor not. The critical vulnerability is the lack of isolation of the window that is supposed to obtain approval from the interactive user. This lack of isolation mea

      • by Rosyna ( 80334 )

        It is isolated. In order to interact with it, a user must explicitly permit it by entering an admin's username and password.

        • It is isolated. In order to interact with it, a user must explicitly permit it by entering an admin's username and password.

          Sorry, but that is not isolation. If the prompt require a password rather than just an accept, the launching process can *still* control it remotely through Applescript - it would just not know what to put in the fields. That's not isolation. At best, it is a mitigating factor.

          Isolation would mean that any Applescript launched from the process was *barred* from interacting with the approval window.

          The vulnerability here is architectural: Windows can be remotely controlled. Ask yourself this: What good is an

          • by Rosyna ( 80334 )

            Uhm, the username and password entry is required before the controlling app even gets a chance to control anything, an admin has to approve the controlling.

            That is, the approval window (let's call it B) the article is talking about showing is not the approval window (that requires an admin's username and password, let's call it A) shown in order to allow one application to control another. A is shown before B is shown.

    • It's pretty easy on anything running X11, where the authentication of things that are allowed to deliver arbitrary input events to other applications is 'oh, you're a program that can read this user's home directory or from a trusted IP address? Go right ahead! By the way, if you're not then you're not allowed to put windows on the screen.' Windows has a similar mechanism, but has a special category of window that can only receive input from privileged components (i.e. real input devices and designated a
      • I filed a bug with Apple about the ease of spoofing the Keychain authorisation and privilege elevation dialogs against OS X 10.2. Maybe by 10.11 they'll fix it...

        Apple bug or security reports are like petitions on whitehouse.gov. If they notice them at all, it's to mock them. Sadly, the same is true of Android. Still no pinless pairing after how many years of people asking for it on the same two bug reports?

      • on X11 most security dialogs are grabbing keyboard, which should disable any input except the mouse and keyboard from interacting with the window.
        So that makes it impossible to send keypresses to security dialogs.

    • in linux it's horribly easy.
      The keystore is not locked if your are logged in (i.e. screensaver is off).
      So a simple 3 lines script is enough to read all your passwords.
      This bug has been signalled multiple times.
      I never store my passwords in the keystore.

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...