Jan 11, 2018 Generally speaking, web page pop-ups, or emails telling you that you have been hacked, are SCAMs. I should also mention that if you give someone access to your Mac as you, then they could surf to Amazon and if you are currently logged into Amazon and Amazon has your credit card, they could buy things, but specify an alternate delivery address. Jul 27, 2016 Disabling keychain popup window in mac Please follow the steps below step 1) Click on empty screen or go to finder and click on finder 2) In Finder, long press/hold the.
You should not give anyone you do not trust control of your computer.
Generally speaking, they would need to know your login password to make any changes or see your passwords in Keychain. But giving someone access to your Mac would allow them to install software that may compromise your system.
So again, you must trust them to allow them control of your Mac.
Mac anti-virus packages generally are bad ports of the Windows versions, which tend to cause more problems then they solve, especially considering there are no Mac viruses in the wild.
Jan 11, 2018 9:44 AM
A security researcher has discovered a vulnerability in the macOS Keychain that could allow an attacker to steal users’ passwords.
Linuz Henze recently published a video demonstrating the exploit on macOS Mojave. In the clip, Henze shows off a proof-of-concept app called KeySteal that can swipe passwords from both a Mac’s “login” and “system” keychains.
How To Use Mac Keychain
Worryingly, the KeySteal application can access and view a Mac’s keychains without needing to input a user profile’s password. It is also able to bypass Apple security measures — including those baked into the T2 chips in newer Mac platforms.
KeySteal needs to be launched when a user is logged in. But it could pose a serious threat if it is inadvertently downloaded by a user — or if it covertly makes its way onto a machine.
If there’s a bright side to KeySteal, it’s the fact that the exploit can’t be used to access passwords stored in iCloud Keychain. But it’s still a significant vulnerability for Mac users.
Mac Keychain Path
Is Apple Going to Fix It?
Normally, at this point, we’d say that Apple has been alerted to the details of the vulnerability and is working on a fix. But that may not be the case in this scenario.
That’s because Henze has not shared the details of the exploit with Apple. Why? The security researcher is protesting Apple’s Mac bug bounty policies (via Heise.de).
Apple rewards independent security researchers (and others) with monetary bounties for finding exploits and vulnerabilities for its iOS platform. But there’s no such program for macOS.
That means that independent security researchers who discover flaws within the macOS platform aren’t rewarded for their time and effort. Henze, for his part, thinks this is unfair.
On the flip side, it isn’t clear how KeySteal works on a technical level. Henze didn’t publicly disclose the exploit itself — presumably to prevent widespread use of the vulnerability.
Henze, a self-professed iOS and macOS fan, has a past track record of spotting legitimate vulnerabilities. So it’s likely that KeySteal is actually a threat, and not just a ploy to get Apple to change its bug bounty policies.
The security researcher is also calling on other hackers to publicly reveal other Mac security flaws — but withhold their inner workings from Apple. The ultimate goal, it seems, is to put pressure on the Cupertino tech giant to expand its bug bounty program to macOS.
Whether Henze will achieve that goal remains to be seen. In the meantime, macOS users should take proactive steps to protect themselves from KeySteal — especially since it may be some time before Apple manages to patch it.
How to Protect Yourself
At this point, it seems like the only way to mitigate the KeySteal vulnerability is to lock the Mac Keychain with an additional password, which isn’t exactly practical.
If you right-click on a keychain, you can manually lock it with an additional password. Get Info > Access Control > Ask for Keychain Password.
Mac Keychain Passwords
This will result in a popup password prompt every time a system needs to access certain keychain data, but it’s still a reliable way to protect that data against KeySteal for the time being.