Mac keychain flaw can send your passwords to hackers via text

Two developers have discovered a Mac Keychain vulnerability that hackers can easily exploit to steal passwords, certificates, et cetera with very little user interaction needed. Antoine Vincent Jebara and Raja Rahbani stumbled upon the flaw while working on the Keychain for their identity management software Myki. They found out that attackers can craft commands that can make Mac's password management system prompt users to click an "Allow button" instead of asking them to type in their passwords. Once a user clicks that button, the malicious code can forward Keychain's contents via text, though the info could also be saved somewhere for download later on.

The malware required to trigger that process can be introduced into the victim's computer via innocuous files such as images, documents and spreadsheets. In fact, the proof of concept Rahbani and Jebara developed to test out what they discovered launches the malware-wrapped image in Preview after you click Allow. They designed it that way to show how that method can be used to allay any suspicion brewing in the back of the victim's mind.

In an email to Engadget, Jebara said that they have already notified Apple of the vulnerability and are waiting to hear back. He explained that they decided to come out with this information because it could be extremely harmful to users if exploited. By knowing the flaw's nature, you can at least protect yourself by not click strange buttons that pop up in Keychain.

[Image credit: mangpages/Flickr]