Two Lebanese developers have found a weakness in the Mac Keychain, which hackers can easily take advantage of to steal passwords.
While working on the Keychain for their password management software MyKi, Antoine Vincent Jebara and Raja Rahbani discovered the flaw by accident.
It is especially critical as it allows anyone to steal your passwords remotely, simply by asking you to download a file that looks nothing close to malicious, and which can't be detected by usual malware detectors since it behaves nothing like malware does.
When you open the file, the shell code executes, steals your passwords and sends them to the attacker via SMS or online.
This hack is triggered by sending a seemingly harmless image to the victim's computer or phone to do the trick (even documents and spreadsheets). For example, attackers can send an image file that looks legit, yet issues commands to probe iOS and OS X users to click on an "Allow” button instead of typing in their passwords.
Rahbani and Jebara prove this in the below video, as they developed an image that launches the malware in “Preview” once the user clicks on “Allow”. They designed it this way to show how easy it is to target someone without raising any suspicion.
Jebara and Rahbani are now working closely with Apple to fix it. They decided to come out with the information since it would be extremely harmful to users if exploited. By knowing the flaw's nature, you can at least protect yourself by avoiding strange “Allow” buttons that pop up in Keychain.
“We disclosed as soon as we reached out to Apple because we feel that it is the right thing to do, knowing that a vulnerability of this magnitude would have disastrous consequences (you wouldn't be able to open any third-party file on your computer without the risk of losing all of your sensitive information until Apple issues a patch),” said Jebara.
This announcement probably pushed Apple to take notice and start resolving the issue. Even if a user only used Keychain in the past and stopped,it tends to be integrated in the work stream,explained Jebara: “It is highly unlikely that password security certificates get removed from the keychain especially if a user opts for iCloud Keychain.”
With the reveal of the iPhone 6s, Apple TV, and iPad Pro, Priscilla Elora Sharuk, Co-founder of MyKi, said the issue would have little effect on Apple’s future sales: “I don’t think this has an impact on the reveal of their new and updated products, and we are certain that Apple is taking the matter seriously and is now working on mitigating the problem to avoid serious long term consequences.”
See related article: Learn how MyKi Can Rid you of Passwords Forever