New keychain vulnerability in OSX

By Steve Ragan

Compromised passwords delivered via SMS, using code wrapped around harmless files that won’t trigger security warnings

Antoine Vincent Jebara and Raja Rahbani, the co-founder and lead engineer of MyKi – an identity management company in Beirut – have discovered a vulnerability in Apple’s password management system (Keychain), which if exploited, enables an attacker to compromise stored credentials at will.

While working with Apple’s password manager for their own product, Jebara and Rahbani noticed that if specially crafted terminal commands were issued, they could make Keychain disclose passwords with little to no user interaction.

To read the entire article, please click here.