1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Researchers discover new keychain vulnerability in OSX

Discussion in 'CSO' started by RSS, Sep 1, 2015.

  1. RSS

    RSS New Member Member

    Antoine Vincent Jebara and Raja Rahbani, the co-founder and lead engineer of MyKi – an identity management company in Beirut - have discovered a vulnerability in Apple's password management system (Keychain), which if exploited, enables an attacker to compromise stored credentials at will.

    While working with Apple's password manager for their own product, Jebara and Rahbani noticed that if specially crafted terminal commands were issued, they could make Keychain disclose passwords with little to no user interaction.

    The command creates a situation where, instead of asking for a user's Keychain password, Keychain will prompt them to click an allow button instead. The two researchers then took their theory further and developed a proof-of-concept exploit that triggers the command and simulates a user mouse click in the exact location where the allow button would appear.

    To read this article in full or to leave a comment, please click here

    Continue reading...
     

Share This Page