[Developers] SECURITY: trivial reveal of stored passwords
Jay
sshkeychain at lindalane.com
Wed Aug 22 16:08:00 CEST 2007
On Aug 22, 2007, at 11:05 AM, Eric Warnke wrote:
> On 8/21/07, David Chin <david.w.h.chin at gmail.com> wrote:
>> Is this how the Keychain Access.app allows you to "Show password"? If
>> so, then the bug, such that it is, is an OS X one.
>>
>> Also, I confirmed that it works if I do it on my own keychain. (BTW,
>> my private key is ~/.ssh/id_dsa.) Will it also expose the password if
>> another user does it? I have a feeling not.
>
> OSX Keychain gives protected access to the SSHKeychain.app,
> SSHKeychain then leaks that password to other applications without so
> much as a peep. It's bad practice and it's horrible for an
> application that is meant to enhance security. Remember that in
> 'Keychain Access' you must enter you master password to reveal the
> password, in this example you only need your keychain unlocked.
I think this is wrong. The USER grants the KEYCHAIN to always give
SSHKeychain what it wants. You can set Keychain Access the same type
of access to one of its keys and then you will NOT be asked to
authenticate when checking the Show Password checkbox. To me, this is
the same as telling Mail.app that it has unfettered access to your
password and then running tcpdump, checking your mail and saying
there is a security flaw in Mail.
More information about the developers
mailing list