Password Insecurities in Mac OS X

Hey guys, this is Matt Heads101, and today I'm going to be talking about a little security hole in Mac OS 10 that allows people to get your passwords if they have access to your computer.

Um, so basically the way this works is whenever you enter a password in an application or anything like that, Mac OS 10 or the application really stores the password in something called your keychain. Your keychain is protected with the password, but most of the time, people with automatic login have their keychain unlocked. So any application can really access any of your passwords and stuff like that, and it's very easy.

Now, you will get a confirmation about this, so you don't have to really worry that much about viruses doing this or anything, but I just want to run a couple scenarios by you first.

So the first scenario is that you go into the Apple Store, and you go on iChat. In order to do that, you have to add your account, type in your password, and you're on iChat. Now when you're done, you are a secure user, so you delete your account from iChat and you walk away from the computer. Now, in this particular example, iChat has stored your password in the keychain, and when you delete your account from iChat, it doesn't remove your password from the keychain.

So, someone could come up to that computer, who knows how to get stuff from the keychain, and they can take your password from the computer and use it. So that's the problem, because there's a public location where people, I've seen people using iChat at the Apple Store. You know, it's something people do, and it really makes your AIM account more susceptible to hackers.

Now, it's not like a lot of people know how to get passwords from the keychain, and the thing is that Keychain Access, which is the Mac application that allows you to read stuff from the keychain and get stuff, requires you enter a password. But this isn't actually enforced throughout Mac OS X.

So I've made a little application right here called Password Stealer. You'll see a link in the description to download this and its source code. So, I'll go ahead and open this up. What you can do here is it can read your keychain. So you select the type of password you'd like it to take from your keychain. I'll do AIM and I'll click steal.

Now, it's not actually taking your passwords or posting them or anything like that, just keep that in mind. But what it's going to ask you to do is it's going to say that it wants to access an item. For each item, Mac OS X is going to ask you if you want to access the password.

Now, this could be a good thing because if a virus tries to access your keychain, you'll see this little window. But it's a very, very bad thing if someone is on your computer, and all they have to do to get your password now is click allow. Now, they have to do this for each item, and it can get annoying, but they really just have to sit there and spam allow until, you know, it reads everything in your keychain.

So I'm going to go ahead and click allow a lot of times and do a cut, and when I'm done, I'll show you what the information that it actually gets will look like. Alright, so I got the information that I wanted, and I just entered in dummy information. This isn't actually real information, but the format that this will output it in is let's say the username equals, and then it quotes the username, the password equals, and then it quotes the password, and the service is the, uh, you know, the service.

So if it's AIM, it'll be AIM. If it's for an application, it'll be for that application, stuff like that. So if I selected everything, AIM wouldn't be the only service. Now this post button here doesn't do anything in this because you haven't configured this, and what that really is for is if you have an evil intention of using this, you can configure that if you're a programmer.

But so you can look at that in the source code and get that configured if you want, but I wouldn't suggest it because, you know, you could get in trouble for that stuff like that.

But, um, so that's the Password Stealer app, and all this does — Apple actually has a programming interface for accessing the keychain, so it's only, you know, it's not that much code, and it's not that challenging to do this where it doesn't require the user's password, and it can just read their passwords.

Now at this point, you're probably wondering, "Well golly, someone's going to do this to me and I'm going to be in deep trouble." And that's where you're wrong, because now that you've watched this video, you're educated on the problem.

What you can do is you can open up Keychain Access by going to your apps, going to Utilities on a second, and opening up Keychain Access. Right somewhere around here, yeah. Alright, or you can search down Spotlight. When this opens up, you'll see all your keychains. I'm going to blur that out, and all your stuff where the passwords are. I might or might not blur this out; it doesn't really matter.

So let's say I want to make this — this is just an example; I don't even know what this is. I think this is, um, for — yeah this is my school. So I'm gonna make it so in order to access this password in my keychain, I need to enter my password. So I go to Access Control after I double click it, and I say, um, I first check "Confirm before allowing access" and then I check "Ask for keychain password."

Now, whenever anything asks to use this, I'll have to type my keychain password. Now also, if I see an app here, these are all the apps that can access this. I don't want Password Stealer to be able to access this, so that's going away.

So this is a really easy way to make stuff more secure. Now I'm not going to bother saving this; it doesn't really matter. Another thing you can do is lock the keychain where it'll actually — next time an app wants to access my keychain, it'll ask me for my password.

So now if I click steal, it's going to ask me for my password. I'll click cancel, and it's going to keep on asking. I think — oh my god, I'm gonna have to force quit this one second. Um, yeah, so that's what that does.

So that is one way to make yourself secure. Another way is to open up System Preferences; it should be really easy to get the System Preference environment, and in here you go to Accounts, you go to Login Options, and where it says Automatic Login, you're gonna have to unlock this.

Where it says Automatic Login, you're gonna want to set that to off. What that will basically do is allow you to, uh, you know, log into your computer when it starts up. So if someone takes your computer and they turn it on, it won't log in for you, for them. They'll have to type your password — and if they can't, your keychain will be locked with your password, and they won't be able to get anything from it.

So these are really just my lessons of security on how to make your keychain — how to lock your keychain. You should always have automatic login off, and you should never use iChat at the Apple Store.

Now, if you do decide to use iChat at the Apple Store — at the Apple Store in particular — when you turn off and back on the computer, when you restart the computers, it actually wipes the disk and it wipes all the keychain and everything like that.

So if you're really concerned and you use the computer at the Apple Store for something that might save your password, just shut down the computer and turn it back on, and it'll be fine.

So anyway, that is my little lesson on keychain security. So thanks for watching; Mac has 101. Subscribe and goodbye!