yego.me
yego.me
💡 Stop wasting time. Read Youtube instead of watch. Download Chrome Extension

Password Insecurities in Mac OS X

6m read
·Nov 3, 2024

Hey guys, this is Matt Heads101, and today I'm going to be talking about a little security hole in Mac OS 10 that allows people to get your passwords if they have access to your computer.

Um, so basically the way this works is whenever you enter a password in an application or anything like that, Mac OS 10 or the application really stores the password in something called your keychain. Your keychain is protected with the password, but most of the time, people with automatic login have their keychain unlocked. So any application can really access any of your passwords and stuff like that, and it's very easy.

Now, you will get a confirmation about this, so you don't have to really worry that much about viruses doing this or anything, but I just want to run a couple scenarios by you first.

So the first scenario is that you go into the Apple Store, and you go on iChat. In order to do that, you have to add your account, type in your password, and you're on iChat. Now when you're done, you are a secure user, so you delete your account from iChat and you walk away from the computer. Now, in this particular example, iChat has stored your password in the keychain, and when you delete your account from iChat, it doesn't remove your password from the keychain.

So, someone could come up to that computer, who knows how to get stuff from the keychain, and they can take your password from the computer and use it. So that's the problem, because there's a public location where people, I've seen people using iChat at the Apple Store. You know, it's something people do, and it really makes your AIM account more susceptible to hackers.

Now, it's not like a lot of people know how to get passwords from the keychain, and the thing is that Keychain Access, which is the Mac application that allows you to read stuff from the keychain and get stuff, requires you enter a password. But this isn't actually enforced throughout Mac OS X.

So I've made a little application right here called Password Stealer. You'll see a link in the description to download this and its source code. So, I'll go ahead and open this up. What you can do here is it can read your keychain. So you select the type of password you'd like it to take from your keychain. I'll do AIM and I'll click steal.

Now, it's not actually taking your passwords or posting them or anything like that, just keep that in mind. But what it's going to ask you to do is it's going to say that it wants to access an item. For each item, Mac OS X is going to ask you if you want to access the password.

Now, this could be a good thing because if a virus tries to access your keychain, you'll see this little window. But it's a very, very bad thing if someone is on your computer, and all they have to do to get your password now is click allow. Now, they have to do this for each item, and it can get annoying, but they really just have to sit there and spam allow until, you know, it reads everything in your keychain.

So I'm going to go ahead and click allow a lot of times and do a cut, and when I'm done, I'll show you what the information that it actually gets will look like. Alright, so I got the information that I wanted, and I just entered in dummy information. This isn't actually real information, but the format that this will output it in is let's say the username equals, and then it quotes the username, the password equals, and then it quotes the password, and the service is the, uh, you know, the service.

So if it's AIM, it'll be AIM. If it's for an application, it'll be for that application, stuff like that. So if I selected everything, AIM wouldn't be the only service. Now this post button here doesn't do anything in this because you haven't configured this, and what that really is for is if you have an evil intention of using this, you can configure that if you're a programmer.

But so you can look at that in the source code and get that configured if you want, but I wouldn't suggest it because, you know, you could get in trouble for that stuff like that.

But, um, so that's the Password Stealer app, and all this does — Apple actually has a programming interface for accessing the keychain, so it's only, you know, it's not that much code, and it's not that challenging to do this where it doesn't require the user's password, and it can just read their passwords.

Now at this point, you're probably wondering, "Well golly, someone's going to do this to me and I'm going to be in deep trouble." And that's where you're wrong, because now that you've watched this video, you're educated on the problem.

What you can do is you can open up Keychain Access by going to your apps, going to Utilities on a second, and opening up Keychain Access. Right somewhere around here, yeah. Alright, or you can search down Spotlight. When this opens up, you'll see all your keychains. I'm going to blur that out, and all your stuff where the passwords are. I might or might not blur this out; it doesn't really matter.

So let's say I want to make this — this is just an example; I don't even know what this is. I think this is, um, for — yeah this is my school. So I'm gonna make it so in order to access this password in my keychain, I need to enter my password. So I go to Access Control after I double click it, and I say, um, I first check "Confirm before allowing access" and then I check "Ask for keychain password."

Now, whenever anything asks to use this, I'll have to type my keychain password. Now also, if I see an app here, these are all the apps that can access this. I don't want Password Stealer to be able to access this, so that's going away.

So this is a really easy way to make stuff more secure. Now I'm not going to bother saving this; it doesn't really matter. Another thing you can do is lock the keychain where it'll actually — next time an app wants to access my keychain, it'll ask me for my password.

So now if I click steal, it's going to ask me for my password. I'll click cancel, and it's going to keep on asking. I think — oh my god, I'm gonna have to force quit this one second. Um, yeah, so that's what that does.

So that is one way to make yourself secure. Another way is to open up System Preferences; it should be really easy to get the System Preference environment, and in here you go to Accounts, you go to Login Options, and where it says Automatic Login, you're gonna have to unlock this.

Where it says Automatic Login, you're gonna want to set that to off. What that will basically do is allow you to, uh, you know, log into your computer when it starts up. So if someone takes your computer and they turn it on, it won't log in for you, for them. They'll have to type your password — and if they can't, your keychain will be locked with your password, and they won't be able to get anything from it.

So these are really just my lessons of security on how to make your keychain — how to lock your keychain. You should always have automatic login off, and you should never use iChat at the Apple Store.

Now, if you do decide to use iChat at the Apple Store — at the Apple Store in particular — when you turn off and back on the computer, when you restart the computers, it actually wipes the disk and it wipes all the keychain and everything like that.

So if you're really concerned and you use the computer at the Apple Store for something that might save your password, just shut down the computer and turn it back on, and it'll be fine.

So anyway, that is my little lesson on keychain security. So thanks for watching; Mac has 101. Subscribe and goodbye!

MMOs in the Instagram Era: Highrise (S18) - YC Gaming Tech Talks 2020
The ACTUAL Day-In-The-Life of a Real Estate investor: The Good, Bad and Ugly

More Articles

View All
Trying to Forget | Badlands, Texas
Most of this little town here we call Terlingua is a large area, but we’re like family, you know? We grew up together. The trial and what transpired before it, the Jers, they don’t see that because they didn’t have any interaction like we did. So that’s w…
The irregular verb gets taken for a ride | Grammar | Khan Academy
Hello grammarians. Broadly, we’re talking about irregular verbs, but more specifically, today we’re going to talk about the “en” ending, which is why I’m calling this lecture “Taken for a Ride.” Because this little “en” thing… So we’ve spoken previously …
Solving the Mystery of the Boiling River | Podcast | Overheard at National Geographic
My grandfather, my dad’s dad, he was just a really fantastic storyteller. There’s just one story that he would tell about Paititi. Paititi is in Peru, what we call El Dorado, right? The golden city. So imagine this big mysterious city made entirely of gol…
Are Real Estate Prices about to Collapse?
What’s up guys, it’s Graham here. So for anyone who’s seen my previous videos, you know there’s very few things I love more than iced coffee, homemade avocado toast, and telling everyone to smash that like button if you haven’t done that already for the Y…
Gordon Tries Fermented Fish | Gordon Ramsay: Uncharted
I’ve still got lots to learn, so I’m off to try a traditional Christmas dish that I hear tastes much better than it smells. Now trust me, I want to get the best of Christopher, and I’m up here to meet two guys who make this amazing delicacy that can only …
Biden's Corporate Tax Is Madness! | Squawk Box
What are we trying to fix? The economy is on fire. Leave it alone! People living in cities like New York, Los Angeles, to San Francisco, if Biden’s plan went through, they would be the highest taxed individuals on Earth. Is that American? Nah, I don’t thi…