Antoine Vincent Jebara and Raja Rahbani, the co-founder and lead engineer of MyKi – an identity management company in Beirut - have discovered a vulnerability in Apple's password management system (Keychain), which if exploited, enables an attacker to compromise stored credentials at will.
While working with Apple's password manager for their own product, Jebara and Rahbani noticed that if specially crafted terminal commands were issued, they could make Keychain disclose passwords with little to no user interaction.
The command creates a situation where, instead of asking for a user's Keychain password, Keychain will prompt them to click an allow button instead. The two researchers then took their theory further and developed a proof-of-concept exploit that triggers the command and simulates a user mouse click in the exact location where the allow button would appear.
This process happens in milliseconds (less than 200ms to be exact), right in front of the user, who wouldn't notice a thing.
"The ‘allow’ button appears 10% to the right of the centre of the screen and 7% below it," Jebara said in an email.
"We noticed that the only issue that could affect the location of this 'allow' button is the size of the dock, so we also issue a command that hides the dock for 500ms in order for us to successfully press the 'allow' button."
After the allow button is pressed, the password is intercepted and sent via SMS to the attacker's phone. However, SMS could be replaced by any delivery system, including exfiltration to a C&C server, or it could be stored locally for later retrieval.
The code needed to trigger this attack could be wrapped around anything. In a video, the researchers used an image as the trigger.
Once the image is displayed, the user wouldn't notice the rest of the attack, which is over almost as soon as it started. Because the code is wrapped around a harmless file, and the code itself is a legitimate command, followed by an expected user response (even if it is simulated), security products would likely ignore this attack; because there really isn't anything bad happening from their point of view.
Jebara said that the fix for this flaw would be to alter the way the Keychain responds to the commands they've discovered and prompt the user for a password the way it is supposed to. Another alternative would be to stop using the Keychain, he added, but that is difficult to accomplish knowing that OS X relies heavily on it. Naturally, Jebara has a hose in this race too, as his own product would address this flaw.
The vulnerability was disclosed to Apple, but they haven't responded to Jebara or Rahbani.
When asked for comment, Apple didn't respond before this story went live.
"We disclosed, because we feel that it is the right thing to do, knowing that a vulnerability of this magnitude would have disastrous consequences (you wouldn’t be able to open any third-party file on your computer without the risk of losing all of your sensitive information until Apple issues a patch). But this doesn’t prevent us from going public either," Jebara explained in a follow-up email.
"The vulnerability is extremely critical. It allows anyone to steal all of your passwords remotely by simply downloading a file that doesn’t look malicious, and can’t be detected by malware detectors - as it doesn’t behave the way malware usually does," Jebara said.
The video below shows the proof-of-concept in action:
A reader asked if this affected iOS as well as OSX. Jebara said that if the user opted to use the iCloud Keychain, "then all passwords saved on the iOS device will also be extracted by the exploit. But the exploit will only execute on a OSX device meaning that it can only be run from a Mac."
As for attack vectors, Jebara said that the following come to mind:
- Direct Attack: Attacker that knows victim sends malicious file via email or something similar
- P2P Attack: Attacker embeds payload in torrent file and distributes it
- Website Post: Share on social media disguised as an intriguing article
Relatively elaborate potential vectors:
- Intercept user download from website X via MITM, append payload to download and redirect download to user.
- Get a low privilege shell on user computer (root privilege not needed) and execute payload.