Startup Sauna alumni discovers critical OSX vulnerability that let’s hackers steal all your passwords

September 2, 2015

While working on their product, Antoine Vincent Jebara and Raja Rahbani, co-founder and lead engineer of Startup Sauna fall ‘14 alumni MyKi, discovered a vulnerability in Apple’s Keychain that enables the compromise of stored OSX credentials.

We have discovered a critical vulnerability in OSX that allows a malicious party to steal all passwords, certificates and private keys from the OSX keychain without user consent,” says Priscilla Sharuk, Startup Sauna attendee and co-founder of MyKi.

We were lucky enough to get a hold of Jebara, Rahbani and Sharuk for a few questions.

How did you discover this vulnerability?

We discovered the vulnerability while working on the keychain for our product, MyKi, an identity management software.

Can you elaborate on how the vulnerability exactly works?

We noticed that if we issue specially crafted terminal commands, we could trigger the keychain to disclose unencrypted password dumps with minimal user interaction. Instead of asking for the user’s keychain password the keychain prompts the user to click on an ‘allow’ button instead.

We wrote a proof of concept exploit that triggers the command and simulates a user mouse keypress on the exact location where the ‘allow’ button appears (it happens in less than 200ms). The ‘allow’ button appears 10% to the right of the centre of the screen and 7% below it.

We noticed that the only issue that could affect the location of this ‘allow’ button is the size of the dock so we also issue a command that hides the dock for 500ms in order for us to successfully press the ‘allow’ button.

After pressing the ‘allow’ button we intercept the password, and send it by sms to our phone (the sms could be replaced with anything, e.g. the password could be stored locally or sent to a the hacker’s server..

The picture that you saw is actually our malicious code wrapped around an image so after executing the previous steps, we display the image to the user via the ‘preview’ app so that he doesn’t feel suspicious.

The malicious code can be wrapped around anything, a picture (as shown the demo), an excel sheet, a word document, an actual app…

“This vulnerability allows hackers to literally have your passwords sent to them via SMS!”

I have a Mac, how the hell will this be fixed?

The fix would be to either alter the way the keychain responds to our crafted commands and prompt the user for a password the way it is supposed to, or then use our solution, myki, which adds security layers on top of the keychain. A third alternative would be to stop using the keychain, but that is difficult to accomplish knowing that OS X relies heavily on it.

How has Apple responded?

They haven’t, yet.

Why did you disclose instead of just going public?

We disclosed because we feel that it is the right thing to do knowing that a vulnerability of this magnitude would have disastrous consequences (you wouldn’t be able to open any third-party file on your computer without the risk of losing all of your sensitive information until Apple issues a patch). But this doesn’t prevent us from going public either after Apple issues a patch or in 3 days if Apple doesn’t respond to our email (we set the 3 days deadline because we feel that if this vulnerability is discovered by a black hat it would create a huge problem).

In the video, the Outlook password was sent to the phone. What app were you guys running? And was it the image that triggered the vulnerability?

We sent the password via sms and yes, the image did trigger the vulnerability.

The vulnerability is extremely critical as it allows anyone to steal all of your passwords remotely by simply downloading a file that doesn’t look malicious at all and that can’t be detected by malware detectors because it doesn’t behave the way malware usually does.