Attackers Can Steal Passwords from the Mac Keychain via Email or SMS

Share this…

It didn’t even take a day for security researchers to find a serious way of exploiting the mechanism through which user clicks could be faked in Mac OS X.

Antoine Vincent Jebara and Raja Rahbani from the myki identity management startup have expanded on the work of Malwarebytes researchers who found this issue with the Genieo Safari extension.

According to their own research, using special terminal commands, the very same thing can be achieved through what the Genieo Safari extension was “pressumed” to be doing via AppleScript.

myki researchers put together a quick proof-of-concept which allowed them to pack these terminal commands with a photo which, when opened, would flash a quick window in front of the user, and then after giving itself permissions to access the Mac Keychain (password storage system), would then take its content and send it via an SMS message.

In their disclosure to CSO, researchers said that the terminal commands can be wrapped into any type of file, not just a photo. These can be videos, torrent files, or even files downloaded via a Web browser.

Additionally, the exfiltration of the Keychain passwords can be carried out via email, IM message, HTTP request (to a database), or any other method a hacker would choose to fetch that content.

Expect more malware to utilize this “forced user click” option in their attacks

As with our previous story on this topic, the attacker exploits features put in place by Apple to help developers create applications that are accessible to users with disabilities.

Unfortunately, the company has not thought to create a blacklist of application windows for which the automatic re-position of the mouse cursor and the auto-click ability should be disabled.

By allowing developers to tamper with the Keychain access confirmation window, they are in theory and practice making it useless.

Since only 200 milliseconds are needed for the Keychain access confirmation window to appear and disappear, users might easily confuse it with a content preloading popup, or might think their Mac froze for a second and the mouse just moved because of this issue.

According to Jebara and Rahbani, their emails to Apple were not answered.