PDA

View Full Version : New open-source app extracts passwords stored in Mac OS X keychain


News
09-06-12, 11:00 AM
http://cdn.arstechnica.net/wp-content/uploads/2012/09/mac-keychain-prompt.png Juuso Salonen (https://s3.amazonaws.com/data.tumblr.com/tumblr_m9v6uvxFcj1qm7unw.png)


A software developer has released an open-source app for the Mac that, when run with administrator privileges, dumps all the passwords belonging to other people currently logged on to the machine.

Within hours of the release of Keychaindump (https://github.com/juuso/keychaindump) by Helsinki-based Juuso Salonen, other Mac experts were downplaying its significance. "News flash, root can also format your hard drive, news at 11," OS X serial hacker Charlie Miller wrote on Twitter (https://twitter.com/0xcharlie/status/243407940697063424), referring to the "root" account that by definition has unfettered privileges in operating systems. "Root is totally a dick, he stole my prom date in high school!" another exploit developer known as thegrugq responded (https://twitter.com/thegrugq/status/243445804323463168).

Their point is that the Keychaindump's ability to root out passwords isn't a vulnerability or even an oversight by Apple engineers. It's a necessary design with parallels that can be found in any advanced operating system, including Microsoft Windows and various distributions of Linux. Labeling it as a "bug" or a "vulnerability" is like claiming a meat slicer is flawed because it can saw through the finger of the person using it.

Read 8 remaining paragraphs (http://arstechnica.com/security/2012/09/mac-os-x-keychain-pillaging-app/) | Comments (http://arstechnica.com/security/2012/09/mac-os-x-keychain-pillaging-app/?comments=1#comments-bar)



http://feeds.feedburner.com/~ff/arstechnica/index?i=iK4YHaR9Ctc:kl7zCXu9QHw:V_sGLiPBpWU (http://feeds.arstechnica.com/~ff/arstechnica/index?a=iK4YHaR9Ctc:kl7zCXu9QHw:V_sGLiPBpWU) http://feeds.feedburner.com/~ff/arstechnica/index?i=iK4YHaR9Ctc:kl7zCXu9QHw:F7zBnMyn0Lo (http://feeds.arstechnica.com/~ff/arstechnica/index?a=iK4YHaR9Ctc:kl7zCXu9QHw:F7zBnMyn0Lo) http://feeds.feedburner.com/~ff/arstechnica/index?d=qj6IDK7rITs (http://feeds.arstechnica.com/~ff/arstechnica/index?a=iK4YHaR9Ctc:kl7zCXu9QHw:qj6IDK7rITs) http://feeds.feedburner.com/~ff/arstechnica/index?d=yIl2AUoC8zA (http://feeds.arstechnica.com/~ff/arstechnica/index?a=iK4YHaR9Ctc:kl7zCXu9QHw:yIl2AUoC8zA)
http://feeds.feedburner.com/~r/arstechnica/index/~4/iK4YHaR9Ctc

More... (http://feeds.arstechnica.com/~r/arstechnica/index/~3/iK4YHaR9Ctc/)