A San Francisco-based programmer and Apple fan has uncovered a rather serious flaw in OS X which can allow a cracker to grab a plain-text copy of the password for the currently logged in account.
Apple has confirmed the bug, although is downplaying the severity due to the requirement for physical access to the machine â€“ so far, no-one has discovered a way to exploit the bug remotely. Despite this, discoverer Jacob Applebaum â€“ and isn't that an ironic name â€“ describes the issue as a â€œreal problem and it needs to be fixed.â€
The flaw is a result of poor handling of the unlocking process: when a password is requested by the system, it is used to unlock the keychain file containing all the saved passwords for wireless networks, SSH connections, and the like; however, instead of ditching the password as soon as the unlocking operation is complete OS X keeps it hanging around in RAM until the user logs out.
This means that if an attacker is able to dump a copy of the memory, he can simply search through the file for your passphrase.
There's no particular reason why the passphrase should be kept in RAM after the operation has finished, and plenty of reasons to get rid as soon as is possible. Quite why Apple has chosen not to isn't exactly clear, and the company isn't being forthcoming with details. When asked about the vulnerability, spokesman Anuj Nayar told CNet that the company was â€œaware of this locally exploitable vulnerabilityâ€ and would be issuing a fix in the near future.
Anybody with a background in computer security will be able to tell you the number one rule in infosec: once the attacker has physical access, it's game over. Even so, it shouldn't be quite as easy as this to grab every password a user has ever saved.