iCloud Keychain encryption bug could expose iOS passwords, credit card numbers

“A security flaw in iOS devices that went largely unreported after it was revealed to have been fixed had the potential to be one of the most damaging security vulnerabilities this year,” Zack Whittaker reports for ZDNet.

“The bug exploited a flaw in how Apple’s iCloud Keychain synchronizes sensitive data across devices, like passwords and credit cards on file, which — if exploited — could’ve let a sophisticated attacker steal every secret stored on an iPhone, iPad, or Mac,” Whittaker reports. “‘The bug we found is exactly the kind of bug law enforcement or intelligence would look for in an end-to-end encryption system,’ said Alex Radocea, co-founder of Longterm Security.”

“It’s all because of a flaw in how iCloud Keychain verified device keys, which Radocea was able to bypass… There are caveats to the attack, said Radocea, indicating that not anyone can carry out this kind of attack. It takes work, and effort, and the right circumstances,” Whittaker reports. “‘With the bug I couldn’t go ahead and steal whoever’s iCloud Keychain just by knowing their account name. I would also need access to their iCloud account somehow,’ he said… Apple released a fix in March, with iOS 10.3 and macOS Sierra 10.12.4.”

Read more in the full article here.

MacDailyNews Take: Yet another example of why you should never reuse passwords – use unique passwords everywhere – and why you should always keep your operating systems up-to-date!

A comprehensive guide to Apple’s very useful iCloud Keychain – January 4, 2017
7 password experts explain how to lock down your online security – May 5, 2016
Why a strong password doesn’t help as much as a unique one – July 22, 2015
Apple releases iOS 10.3, watchOS 3.2, and tvOS 10.2 – March 27, 2017
Apple releases macOS Sierra 10.12.4 – March 27, 2017


  1. And another example of why one should continue to update iOS and macOS when those updates are available. Of course, waiting a day or 2 to see if any bugs show up is never a bad idea either.

    Having OS security updates available to Apple devices, even those purchased several years ago, is one of many big security advantages in going apple

  2. Two factor authentication is a nightmare for me – I use Thunderbird for all my emails (almost 200k) but can’t access my icloud email as Apple’s 2FA fals over everytime. As for iCloud Keychain – can’t access it and have given up trying.

    It doesn’t “just work” – it needs a lot of effort, the process is cumbersone and confusing, and at times simply fails. Too many reports from other users for MDN authors to pretend otherwise.

    1. PEBKAC

      Works fine every time for me and many, many others.

      May I suggest Data Entry 0.002 as an entry-level course for you? We start the slower kids in DE 0.001, but I think there’s something special about you.

    2. Two factor authentucation works absolutely great for me as well.

      Some third party apps need apps need app-specific passwords to access your cloud data, with ios11 all third party apps will. Unfortunately some apps don’t tell you that that’s the problem. Most apps do.

      Follow the instructions in this link to get Thunderbird working.


      1. If all else fails:

        1-delete the app from your ios device
        2-delete the app specific password for that app (if you already have one) as explained in the apple docs https://support.apple.com/en-us/HT204397
        3-create a new app specific password for the app as explained in the apple docs above
        4-download the app, and use the new app specific password when the APP asks for your appleID password

  3. This is why Password managers should not be synced to a cloud service. Makes no difference if we are talking about Agile Bits or Apple, local beats the cloud on security.
    Syncing to a cloud based Keychain is literally putting all your eggs in one basket.

    1. Entirely correct!

      And yet that’s exactly what Agilebits is attempting to do to their customers with 1Password. They’ve gone out of their way to HIDE the fact that 1Password will remain able to work perfectly without having to pay for their cloud account.

      I’ve had a long exchange with AgileBits about this situation and the sum total of their perspective is: They Don’t Care. Their website continues to hide the single user account option. I’ll gladly post my entire exchange with them upon request.

      I just installed LastPass in preparation for dumping 1Password. Sad.

      1. Been with 1 PW for a very long time- not day one, but probably day 2. Keeping them for now.

        Can you imagine a bigger target for hacking than the servers of a small company that hosts the password collections of a group of iPhone and Mac users? The demographics tend to be higher than mean, lots of online accounts and probably banking and investments. If they ever get hit all your shit is up for sale on the Dark Web.

        No thanks.

        1. I don’t wish to FUD AgileBits as their program has had a very good history. But no, I’m never going to trust THEIR cloud service over my own crafty methods of keeping my password database safe.

          However, I am particularly MIFFED at AgileBits this week as they appear to have NO TECH SUPPORT. All I get are bot replies, which of course are worthless. Whoever took over their marketing division requires some stern rebukes! Very naughty in the extreme. Perhaps a spanking is in order!

    1. Nope. It’s FUD SEASON. Happens every time Apple schedules an important event. FUD Season occurs in the three weeks preceding the event. August 1st is the 3rd Quarter Financial Results Conference Call. . . ergo, FUD season starts three weeks before that date. You can set your calendars by it. Never fails. Apple announces an event, the FUD spreaders start spreading doom and gloom stories about Apple three weeks before the event.

  4. This is the 2nd email purportedly coming from Apple that I received. When I checked the email address of the sender (Apple Notification), I suspect that this is a scam because the email address is: infor@icoulapps.com. Very suspicious indeed. The letter with Apple logo looks authentic, asking recipient to verify account as some information was missing, by clicking on a link. This is also suspicious to me because I know my account is complete with no information missing. Beware of you receive such email. Check the sender’s address.

  5. This is a clunker of an article.

    • If they’d bothered to post the relevant CVE (Common Vulnerabilities and Exposures) number involved in this security flaw, I’d have been satisfied. But they didn’t. That means they either don’t understand computer security standards or they don’t care to bother educating their readers.

    • The link they offered for the Alex Radocea blog isn’t a link at all. I can’t even figure out what ‘blog’ they’re talking about. Instead, I found his article at Medium.com from May 8th, a couple months ago. Here it is:

    Bypassing OTR Signature Verification to Steal iCloud Keychain Secrets

    And here’s a link to the CVE at NIST (National Institute of Standards and Technology):


Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.