[Developers] SECURITY: trivial reveal of stored passwords
Eric Warnke
ericew at gmail.com
Wed Aug 22 03:05:37 CEST 2007
On 8/21/07, David Chin <david.w.h.chin at gmail.com> wrote:
> Is this how the Keychain Access.app allows you to "Show password"? If
> so, then the bug, such that it is, is an OS X one.
>
> Also, I confirmed that it works if I do it on my own keychain. (BTW,
> my private key is ~/.ssh/id_dsa.) Will it also expose the password if
> another user does it? I have a feeling not.
OSX Keychain gives protected access to the SSHKeychain.app,
SSHKeychain then leaks that password to other applications without so
much as a peep. It's bad practice and it's horrible for an
application that is meant to enhance security. Remember that in
'Keychain Access' you must enter you master password to reveal the
password, in this example you only need your keychain unlocked.
The bug is also in MacFusion and I plan on bringing it to their
attention as well.
-Eric
More information about the developers
mailing list