Results 1 to 9 of 9
  1. #1
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    315
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Keychain exploit in the wild?
    If a video of keychain exploit available on Youtube, it's pretty safe to say that it is in the wild already...



    Is there a timeframe for Apple to patch this vulnerability?

  2. #2
    Keychain exploit in the wild?
    chscag's Avatar
    Member Since
    Jan 23, 2008
    Location
    Keller, Texas
    Posts
    57,754
    Your Mac's Specs
    2017 27" iMac, 10.5" iPad Pro, iPhone 7+, iPhone 8, Numerous iPods, Mojave
    I believe Apple is already aware of the vulnerability but have not heard of any forthcoming patches or fixes. We will add on to this thread if we hear anything.

    Apparently, the individual who discovered this exploit or vulnerability is refusing to disclose it to Apple because he's unhappy with Apple's policy of rewarding bug exploit finders who discover the nasties only in iOS and not macOS.

    The whole saga of this sounds childish and silly. You can read more on this by doing a google search for "keychain exploit".
    Last edited by chscag; 02-08-2019 at 10:10 PM. Reason: More info added.

  3. #3
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    315
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Well, the 10.14.4 version released on February 7th has addressed Face Time, CVE-2019-7286 and CVE-2019-7287 vulnerabilities, privilege escalation and arbitrary code execution respectively. Maybe it had been addressed already...

    The fact that Apple specifies Face Time, but not keychain in their HT209520 makes me doubt that this vulnerability had been addressed in 10.14.4.

    As for childish...

    The "kid" has a point, even if I don't agree with the way he expresses it. He could also sell this exploit to number of exploit broker, like Zerodium, for substantially more than whatever the Apple reward might be for macOS exploit. To my knowledge, he did not as of yet at least. There's that...

  4. #4
    Keychain exploit in the wild?
    chscag's Avatar
    Member Since
    Jan 23, 2008
    Location
    Keller, Texas
    Posts
    57,754
    Your Mac's Specs
    2017 27" iMac, 10.5" iPad Pro, iPhone 7+, iPhone 8, Numerous iPods, Mojave
    The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.

  5. #5
    Keychain exploit in the wild?
    ferrarr's Avatar
    Member Since
    May 21, 2012
    Location
    Pawtucket, RI, US
    Posts
    6,175
    Your Mac's Specs
    L2014 Mac mini macOS 14, iPhone 8+ iOS 12, 12.9" iPad Pro 1 iOS 12, Pencil 1
    Quote Originally Posted by chscag View Post
    The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.
    Only Apple?

    Some people prefer to complain a lot louder about Apple, because of their success, and the way they prefer to keep their environment secured.
    -- Bob --
    Please backup. Everything has a life cycle, unexpected and warning free. Nothing will last as long as you want it to.

  6. #6
    Keychain exploit in the wild?
    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    5,852
    Your Mac's Specs
    MBP 15" Mid 2015, iPhone XS, an iMac, plus ATVs, AWatch, MacMini
    I don't see the threat. Yes, this guy has demonstrated that if the thief is logged into my system (I use a very powerful password for that), and if he/she has installed the KeySteal code on my machine (needing my Admin password to install it, another strong pass phrase) then he can get my passwords. But he's already got my password and my admin pass phrase just to get to where he can run KeySteal, so what is the threat? Just use the admin password and Keychain Access directly.
    Jake

  7. #7
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    315
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Quote Originally Posted by chscag View Post
    The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.
    My bad, the version is 10.14.3 on my macOS...

  8. #8
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    315
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Quote Originally Posted by MacInWin View Post
    I don't see the threat. Yes, this guy has demonstrated that if the thief is logged into my system (I use a very powerful password for that), and if he/she has installed the KeySteal code on my machine (needing my Admin password to install it, another strong pass phrase) then he can get my passwords. But he's already got my password and my admin pass phrase just to get to where he can run KeySteal, so what is the threat? Just use the admin password and Keychain Access directly.
    I agree with you, but...

    In the video, the KeySteal app is a full blown app with GUI. What if the KeySteal code converted in to a script, with no actual notification to the end user, for remote exploit via the browser or any other means? From my perspective, that's possible as long as the vulnerability utilized by this app exists. I hope not...

  9. #9
    Keychain exploit in the wild?
    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    5,852
    Your Mac's Specs
    MBP 15" Mid 2015, iPhone XS, an iMac, plus ATVs, AWatch, MacMini
    Sure, but that is a what, if, maybe, could, possible, threat. The ACTUAL threat is probably really low. I have a lot more things to worry about than a maybe, could, possibly, if, threat. Would I prefer that there not be a hole in Keychain? Sure, and I'm also sure Apple will plug that hole. But in the meantime, using a VPN, strong passwords and pass phrases and good browsing habits will keep me as safe as I can be.
    Jake

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. iCal gone wild!
    By macmanlondon in forum macOS - Apps and Games
    Replies: 1
    Last Post: 07-25-2012, 05:07 PM
  2. Man vs. Wild is not as advertised...
    By TheCustomer99 in forum Schweb's Lounge
    Replies: 9
    Last Post: 07-26-2007, 08:51 PM
  3. ADs gone wild!
    By eric in forum Community Suggestions and Feedback
    Replies: 20
    Last Post: 04-19-2007, 08:52 PM
  4. mouse going wild
    By thadoggfather in forum Other Hardware and Peripherals
    Replies: 2
    Last Post: 05-11-2006, 12:19 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •