Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.
macOS Keychain Vulnerabilities Apple Doesn’t Want to Talk About

macOS Keychain Vulnerabilities Apple Doesn’t Want to Talk About

By István F.István F. Verified by Adam B.Adam B. Last updated: July 17, 2024 (0)

A serious vulnerability uncovered by security researcher Patrick Wardle from Synack has cast a dark shadow over the launch of Apple’s latest desktop operating system, macOS 10.13 High Sierra. This case also makes us wonder just how many security issues Apple’s desktop and mobile operating systems include.

While the latter question is a bit hard to answer – only time (and hackers) will tell – the common vulnerabilities and exposure (CVE) database reveals that Apple’s services aren’t as prone to hackers as users may think, despite this recently detected flaw. Some security experts say that the more popular the Mac becomes, the more likely it will be targeted by hackers. The passage of time seems to corroborate these claims as there has been a spike in attacks targeting Mac computers, though in spite of this macOS still remains one of the most secure desktop platforms.

iCloud vulnerabilities

In fact 2017 was quite a busy year for Apple: it had to patch 62 vulnerabilities involving iCloud in some way, which equates to only one issue appearing in the CVE database. Denial-of-service attacks are clearly the more widespread vulnerability since of the total of 63 issues, 82.5% (52) allowed attackers to execute arbitrary code or cause denial of service (memory corruption and application crash) via a crafted website. Some of these issues were severe, with a ranking vulnerability score of 9.3. In particular these problems, which were reported in July 2017, involved WebKit on iOS before 10.3.3, Safari before 10.1.2, iCloud before 6.2.2 on Windows, iTunes before 12.6.2 on Windows, and tvOS before 10.2.2.

iCloud Keychain vulnerability

What has really raised eyebrows, however, is the issue involving the Keychain component. Some may already use Keychain or know that Apple lets users store their passwords and credit card details along with other information in Keychain Access, an app stored locally on the computer. If users have multiple devices, they can choose to synchronize passwords across all devices with iCloud Keychain. That, in theory, is supposed to be secure, as the data in iCloud Keychain is protected by encryption.How can I know if my password was stolen?

As discovered by Alex Radocea of Longterm Security Inc., however, a security flaw in iCloud Keychain failed to validate the authenticity of OTR packets. This issue allowed an attacker – able to intercept TLS connections – to read secrets protected by iCloud’s Keychain.

But actually this wasn’t the first security flaw affecting iCloud Keychain: in 2015 security researchers discovered two others:

  • CVE-2015-5836: Apple Online Store Kit in Apple macOS before 10.11 improperly validates iCloud keychain item ACLs, allowing attackers to obtain access to keychain items.
  • CVE-2015-1065: Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple macOS through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code.

Apple addressed every bug reported by security researchers and credited them for highlighting the issues.

More recently, in the fall of 2017, the launch of macOS High Sierra was overshadowed by a zero-day security flaw discovered in Keychain, the password manager of macOS. The code Wardle executed through an unsigned app he developed was able to retrieve passwords saved in Keychain in plane text, without requiring the admin password as it should.

Password managers prone to security flaws

We don’t read about security flaws related to Apple too often. There is one thing that needs to be kept in mind, though: the software is created by humans and even with the best developers in the team there is a slight chance that a bug can slip through.

The same goes for password managers. There was much buzz around the security flaws discovered in the most popular of these, including but not limited to LastPass and 1Password. But that doesn’t mean you should stop using them. It can be done, of course, on pen and paper, but that feels like living in the 19th century. What you can do to address such issues is to use the service wisely – since no software is hacker-proof – and keep an eye on any communications from the developers. If they fail to communicate with the users in cases of a security flaw or don’t patch the flaw quickly, then that’s a good sign that you need to change your password manager.

User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Latest Articles

How To Master English Fluency: 10 Effective Tips and Tricks
When it comes to language learning, we often come across the word ‘fluency’. But what does it mean exactly? Simply put, fluency is the ability to articulate a message ...
Read article
4 Reasons To Choose CRM Software With AI
With the competition increasing, maintaining lasting customer relationships is more crucial than ever. Customer relationship management (CRM) systems have long been the backbone of most businesses’ effective interaction management, helping them streamline processes, improve satisfaction, and boost sales
Read article
Empower Your Wedding With The Perfect Hashtag
Do you remember the time when # was a simple sign used only in phone menus? The mundane past of the hashtag is now gone, because Twitter came, saw, and turned this barely known sign into a global Internet craze. 
Read article

Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us