Attackers Can Steal Passwords from the Mac Keychain via Email or SMS

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Attackers can gain access to passwords by faking user clicks on the Mac Keychain access confirmation window
It didn't even take a day for security researchers to find a serious way of exploiting the mechanism through which user clicks could be faked in Mac OS X.

Antoine Vincent Jebara and Raja Rahbani from the myki identity management startup have expanded on the work of Malwarebytes researchers who found this issue with the Genieo Safari extension.

According to their own research, using special terminal commands, the very same thing can be achieved through what the Genieo Safari extension was "pressumed" to be doing via AppleScript.

myki researchers put together a quick proof-of-concept which allowed them to pack these terminal commands with a photo which, when opened, would flash a quick window in front of the user, and then after giving itself permissions to access the Mac Keychain (password storage system), would then take its content and send it via an SMS message.

In their disclosure to CSO, researchers said that the terminal commands can be wrapped into any type of file, not just a photo. These can be videos, torrent files, or even files downloaded via a Web browser.

Additionally, the exfiltration of the Keychain passwords can be carried out via email, IM message, HTTP request (to a database), or any other method a hacker would choose to fetch that content.

Expect more malware to utilize this "forced user click" option in their attacks
As with our previous story on this topic, the attacker exploits features put in place by Apple to help developers create applications that are accessible to users with disabilities.

Unfortunately, the company has not thought to create a blacklist of application windows for which the automatic re-position of the mouse cursor and the auto-click ability should be disabled.

By allowing developers to tamper with the Keychain access confirmation window, they are in theory and practice making it useless.

Since only 200 milliseconds are needed for the Keychain access confirmation window to appear and disappear, users might easily confuse it with a content preloading popup, or might think their Mac froze for a second and the mouse just moved because of this issue.

According to Jebara and Rahbani, their emails to Apple were not answered.

 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top