Fwd: Tweet by patrick wardle

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Tweet by patrick wardle

Fritz Mills
I think this exposes a big vulnerability…

Begin forwarded message:


patrick wardle (‪@patrickwardle‬)


on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 viplayer.vimeo.com/video/235313957U#smhspic.twitter.com/pqtpjZsSnqSnq





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Tweet by patrick wardle

@lbutlr
On Sep 26, 2017, at 10:55, Fritz Mills <[hidden email]> wrote:
I think this exposes a big vulnerability…

patrick wardle (‪@patrickwardle‬)
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)

Nope. Not only is this not a big deal, it is nothing new.

In order to dump the keychain you need a program that has accessibility permissions to control the GUI, which requires admin authorization, or you have to convince the user to click a button for every single item in the keychain.

-- 
This is my signature. There are many like it, but this one is mine.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Tweet by patrick wardle

Brian L. Matthews
On 9/26/17 5:55 PM, LuKreme wrote:
On Sep 26, 2017, at 10:55, Fritz Mills <[hidden email]> wrote:
I think this exposes a big vulnerability…

patrick wardle (‪@patrickwardle‬)
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)

Nope. Not only is this not a big deal, it is nothing new.

In order to dump the keychain you need a program that has accessibility permissions to control the GUI, which requires admin authorization, or you have to convince the user to click a button for every single item in the keychain.

The flaw allows dumping the entire keychain by a program that doesn't have any special permissions (and doesn't even have to be signed), and doesn't ask the user anything (except to allow it to run if it's unsigned). Read the Twitter thread here: https://twitter.com/patrickwardle/status/912254053849079808, Patrick's post here: https://www.patreon.com/posts/14556409, and watch the video referenced in the Patreon thread.

Although you're right it's nothing new--the problem's existed since at least El Capitan.

Brian



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Tweet by patrick wardle

Al Varnell
Brian beat me to it.

Stop reading all the FUD that's being written about this and focus on what Patrick's post said, especially the FAQ's at the end in response to some of the questions and over-reactions he received over this. Mostly bad timing to have Tweeted at almost the exact time that High Sierra was released.

No question that Apple needs to do a better job at reacting to vulnerability notifications (including mine) and work faster to resolve them before the bad guys find a way to exploit them.

-Al-

On Sep 26, 2017, at 6:36 PM, Brian L. Matthews wrote:
On 9/26/17 5:55 PM, LuKreme wrote:
On Sep 26, 2017, at 10:55, Fritz Mills wrote:
I think this exposes a big vulnerability…

patrick wardle (‪@patrickwardle‬)
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)

Nope. Not only is this not a big deal, it is nothing new.

In order to dump the keychain you need a program that has accessibility permissions to control the GUI, which requires admin authorization, or you have to convince the user to click a button for every single item in the keychain.

The flaw allows dumping the entire keychain by a program that doesn't have any special permissions (and doesn't even have to be signed), and doesn't ask the user anything (except to allow it to run if it's unsigned). Read the Twitter thread here: https://twitter.com/patrickwardle/status/912254053849079808, Patrick's post here: https://www.patreon.com/posts/14556409, and watch the video referenced in the Patreon thread.

Although you're right it's nothing new--the problem's existed since at least El Capitan.

Brian



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____