Linus Henze recently discovered an exploit which can prove to be devastating for macOs. This bug, popularly known as the keychain bug can bring huge losses to the company. Henze also demonstrated the problem through a video. He showed how by pressing just a button; one can reveal passwords in mac’s keychain.
What is Keychain?
Keychain is Apple’s password management system which stores all the passwords, usernames, etc. for its users. It can even store other valuable information such as credit card numbers, bank account numbers and many more. This password management system was introduced with macOS 8.6 in 1999. Since then, this application has moved to Apple’s mobile devices as well.
What does it Store?
Keychain is meant to store passwords for websites, FTP Servers, SSH accounts, Wi-Fi passwords, images, notes and many more. It also stores user Certificates and keys. The keychain system was originally made to work for Apple’s email system known as PowerTalk.
Keychain: How can you use it?
The keychain password is the same as the login password in the beginning. You can open keychain access by going to the utility folder in the Applications menu. In order to add the password to your keychain account, Select File and then New Password. You can also add + which is given at the bottom of the Keychain access window. This application will also help you to determine whether your password is strong enough or not.
Functions of Keychain Access
The keychain can be used to store any information that is important and complicated to remember. Moreover, it helps to recover those passwords as well which you might forget in the long run. Other functions of keychain include storing of that sensitive information which should not be seen by anyone else but you. One cannot remember all the account passwords. There are chances that you might forget your credit card password. Keychain comes to the rescue in such cases and thus, it proves to be very beneficial.
What is Keychain Bug?
Recently a problem arose when Henze discovered that there are problems with this ‘secure’ system and all the passwords can easily be accessed by hackers. What added to the existing problems of Apple was that Henze wasn’t initially ready to provide the details to the company as a protest regarding the Bug Bounty Program of Apple. But later he decided to provide the details, that too without being paid for it as he realized that this problem too important to keep for him.
What is Apple’s Bug Bounty Program?
The Bug bounty program of apple provides monetary rewards to researchers who point out or reveal the bugs that might infect Apple’s devices. Through this program, Apple encourages security researchers to put light on the different vulnerabilities that have the potential to damage its operating system. However, there is a catch. Apple only invites researchers who have helped it find bugs in the past. This closes the door for all such researchers who did haven’t contributed to the company before.
Impact of Keychain Bug
Millions of people could have been affected by this bug as hackers wait to find such opportunities and extract the details of users. However, it is due to the wit and wisdom of Henze that users were saved from such a huge mishap. He did not reveal this bug to anyone. Moreover, he also later provided the details of the bug along with a patch free of cost to Apple.
How can you prevent KeySteal?
You can still do something to prevent KeySteal exploits. You can lock the login keychain with an additional password. However, it will lead to problems such as endless password prompts.
Previous Bugs that have Affected Users in the Past
The keychain Bug is not the only bug that has come on the surface. Users of Apple have encountered various other bugs across different platforms in the past as well.
Prior to the Mac keychain bug, the most famous, or rather infamous bug that affected Apple’s users was the FaceTime vulnerability. This bug allowed an attacker to initiate a FaceTime call through code execution. This was not the end of this. Later, another FaceTime bug was discovered. This problem was rectified later on by Apple. Apart from this, the vulnerability was found by researcher Jose Rodriguez. Using this vulnerability, attackers could bypass users’ lock screen and gain access to the photos and Notes.
A Google’s team of researchers who are specialized for bug hunting discovered another bug in macOs operating system which allowed hackers to inject malware into the system and replace classified information without any knowledge either to the system or to the user.
Other Keychain Problems
Keychain access has led to problems in the past as well. Users have encountered issues with this system which led to further troubles.
- Login Keychain Password: Users of macOs have encountered this problem on versions which are older than High Sierra. According to the problem reported by users, macOs keeps asking for the login keychain password. This problem occurs when the user has changed the password of the user account.
- Loss of Data due to forgotten Password: In cases where you forget the keychain password, you end up losing all your data. You will have to make a new keychain.
- Users not being Able to Change Keychain Password: This problem occurs when your keychain becomes corrupt. In such situations, it becomes compulsory to erase all the data and create a new keychain.