Apple confirms Mac OS X flaw which exposes Keychain password

“Apple has confirmed a security glitch that, in many situations, will let someone with physical access to a Macintosh computer gain access to the password of the active user account,” Declan McCullagh reports for CNET.

“The vulnerability arises out of a programming error that stores the account password in the computer’s memory long after it’s needed, meaning it can be retrieved and used to log into the computer and impersonate the user,” McCullagh reports.

“‘This is a real problem and it needs to be fixed,’ said Jacob Appelbaum, a San Francisco-based programmer who discovered the vulnerability and reported it to Apple,” McCullagh reports. ‘Appelbaum is one of the team of researchers who published a ‘cold boot’ paper last week describing unrelated vulnerabilities in encrypted filesystems, including Apple’s FileVault, Windows Vista’s BitLocker, and a number of open-source ones.”

“The security glitch works like this: The OS X subsystem that asks for a username and password to log into an account is, reasonably enough, called loginwindow.app. In the default configuration, the account password unlocks the user’s keychain and the encrypted FileVault volume (if one is in use),” McCullagh reports. “But instead of immediately erasing the password from memory once the unlocking process is complete, OS X keeps it around. That means someone with physical access to the computer can use multiple methods to extract the contents of the computer’s DRAM chips.”

“Turning off your computer and waiting a minute or more protects you from this attack by giving the contents of DRAM time to decay,” McCullagh reports.

Full article here.

MacDailyNews Take: So, until Apple fixes this issue, do not turn off your Mac and bolt from the room if you’re worried that black helicopters carrying nefarious international spies ready to instantly rappel into your home or office someone’s intent on gaining access to your Mac. Instead, relax and sit there for a minute or so contemplating the existential meaning of DRAM decay, then you’ll be all set.

Seriously, though, portable Mac users (who are most likely using Sleep by just closing the lid), if you think you might leave your notebook in the plane, train, automobile, etc. and that someone will find it and attempt to extract info from your RAM (as opposed to immediately wiping the drive and putting it up for sale on eBay), then you might want to consider shutting down when not in use (a pain, we know) until Apple fixes this glitch.

56 Comments

  1. Non issue for most of us. Good to know and fix for those who truly carry sensitive information on their laptop. This was a good find and Appelbaum is to be congratulated for finding it and reporting it responsibly to Apple and the other effected OS writers.

  2. Now I understand what happened. My identity got stolen. I knew I should of questioned the two guys under my desk about the network network and logic analyzers they were connecting to my Mac pro. Man we are completely fccked. There is no way of keeping people from connecting network and logic analyzers to the memory bank of your mac while you are working. This is a major design flaw.

    TRUE STORY: My house got broken into yesterday. They took the Toshiba laptop and left the Mac. Geez…

    Just my $0.02

  3. And if you stand on your head and rub a wooden nickel between your thumb and middle finger while chanting Lincoln’s Gettysburg Address people will stuff zucchini squash in your ears and call you “Woodrow”. Hey, don’t laugh. It’s as relevant and valuable as this story.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.