Keychain Vulnerability in macOS


A new vulnerability in macOS was discovered by Patrick Wardle, Chief Security Researcher at security firm Synack, who already revealed several critical security problems in macOS in the past. This safety issue in macOS enables attackers to steal your passwords, user names, credit card numbers, and other sensitive information stored in the macOS password manager Keychain.

Wardle writes:

As this is a local attack, this means a hacker or piece of malware must first infect your your Mac! Typical ways to accomplish this include emails (with malicious attachments), fake web popups (“your Flash player needs updating”), or sometimes legitimate application websites are hacked (e.g. Transmission, Handbrake, etc).

Therefore you are not affected unless you, howsoever, downloaded malware from untrusty sources. Unfortunately, this vulnerability hasn’t been fixed yet (the current version of macOS as of today is 10.13.0) and I don’t want to rely on solely hoping I don’t get infected.

Wardle continues:

Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it.

Your user account and your default keychain, the login keychain, share the same password by default. So whenever you log into your user account, the keychain gets automatically unlocked too. Wardle suggest using a different password for the login keychain, so that it isn’t automatically unlocked as soon as you log in. When the keychain is not unlocked it isn’t vulnerable to being read by unauthorized malicious applications.

Apple describes how to change the Keychain password: simply open Keychain Access, click Edit in the menu bar, then click Change password for Keychain “login”….

Changing the Keychain password to a password different from you regular user password should make your Mac a lot safer. Even after Apple will have patched this vulnerability, it should be safer to keep using two different passwords and unlock the keychain only when actually needed.

Update: Apple released a Supplemental Update on October 5, 2017 which addresses this Keychain Vulnerability, amongst others, and can be downloaded from the Mac App Store. Apparently, this update is available only for macOS High Sierra—even though Sierra, El Capitan, and possibly even older versions of the macOS operating system are also affected by this keychain vulnerability. This is quite unfortunate, since I plan not to upgrade to High Sierra yet due to problems with the newly introduced file system APFS.