Jun 1, 2019 5:00 AM

The Tricky Shenanigans Behind a Stealthy Apple Keychain Attack

An 18-year-old security researcher made headlines earlier this year with KeySteal, a macOS hack. Now he's showing the world how it worked.

In early February, an 18-year-old German security researcher named Linus Henze demonstrated a macOS attack that would allow a malicious application to grab passwords from Apple's protected keychain. "You know, the ones 'securely' stored so that no one can steal them :)" he wrote. Dubbed KeySteal, the attack called attention to the fact that the macOS keychain makes a very attractive target for hackers. Apple patched the flaw that KeySteal was exploiting at the end of March.

Initially, Henze refused to share details of his hack with Apple, telling media outlets that it was because the company does not have a bug bounty program for macOS. Now, having eventually changed his mind and revealed it to Apple, he is also showing exactly how it works at the Objective by the Sea Mac security conference in Monaco this weekend.

Apple's keychain is essentially a native macOS password manager. Even if you don't use it as your primary password organizer, there's probably still sensitive stuff in there: The keychain is so seamlessly integrated into macOS that you may have saved some login credentials there without realizing it. The service can also store digital certificates used in web encryption and be used to manage public and private keys for encryption. Basically, it's a reliably fruitful target for an attacker to hit, and other researchers have warned about keychain attacks in the past.

"I think the keychain is really good, because it’s way better storing your passwords in the keychain than to reuse all your passwords," Henze told WIRED ahead of his talk. "But I show how I exploited the keychain, how I found the bug, and how the full exploit works. I think the vulnerability has been in macOS for a long time, maybe five years or perhaps more."

While it's always possible someone else discovered and exploited the KeySteal vulnerability before Apple patched it, Henze says he thinks it's unlikely. Most attackers focus on finding bugs that give them fundamental access to the kernel, the control program at the heart of an operating system. A kernel bug would give an attacker access to the keychain anyway, along with everything else.

KeySteal is limited to accessing the keychain, but it would be an effective attack for anyone who happened upon the bug. It does require tricking a target into downloading an app that secretly contains the malicious KeySteal exploit, but that’s a strategy hackers successfully use all the time.

The KeySteal attack works by exploiting a flaw that is not in Apple’s keychain itself, but in a security service that facilitates connections between the keychain and other macOS applications. Henze says that he found the bug while looking at the security of the "sandbox" that constrains web applications running in Safari. A sandbox is a sort of walled garden that keeps programs from being able to access other parts of a system. This way, if a program has a vulnerability, an attacker exploiting it still won't be able to get beyond its sandbox to do larger damage.

Henze noticed that from within Safari, programs could talk to the security service that also manages the keychain to check things like passwords and web encryption certificates. He downloaded the framework for this service so he could study it more closely and noticed that when he initiated a session through Safari to talk to the security service, he could manipulate various attributes of the session.

Meanwhile, Henze also realized that Apple offers a small program that is allowed to access the keychain without prompting the user to enter their password. The tool exists as part of a suite of programs meant to be used by IT administrators running enterprise security on a large fleet of Macs. Using these tools, an admin can create or delete keychains, migrate them, or add login credentials to many keychains at once without users needing to be involved. But these tools are present in all Macs, not just those enrolled in Apple's enterprise system.

It was possible, Henze discovered, to manipulate the session between Safari and the security service to make it seem like the session was initiated by the special, trusted keychain admin program that doesn't require user authentication. In this way, Henze could trick the security service into piping the decrypted contents of the keychain into an application he controlled.

Apple's patch fixes the flaw and blocks the attack by preventing the security service from trusting manipulated sessions. Apple did not return multiple requests from WIRED for comment on the mechanics of KeySteal or Henze's disclosure.

Mac researchers emphasize that keychain attacks are fairly common—and are therefore a crucial area for Apple to continue to improve. "I hate to say it, but I really wasn’t particularly surprised by KeySteal," says Thomas Reed, a Mac research specialist at the security firm Malwarebytes. "I’ve seen plenty of attacks against the keychain, so although this one was a stealthy new technique, gaining access to passwords in the keychain is far from unheard of."

Henze, who just turned 19, points out that Apple's bug bounty is only for the most critical iOS flaws like kernel bugs and doesn't apply to a vulnerability like KeySteal in a macOS application. "In the beginning I was trying to get them to tell me why Apple doesn’t have a bug bounty program for macOS," Henze says. "A few weeks later I decided to send Apple my exploit, and then they fixed it, but I still don’t have a response from them about the bug bounty program."

Researchers can always submit general bug reports that don't carry the possibility of a financial reward. But given how common it's become for researchers to find sensitive flaws like keychain bugs—or worse—Henze says it's time for Apple to offer more incentives to submit vulnerabilities. You wouldn't want something like KeySteal in the wild forever without a patch.