Decrypt all authorization tokens on macOS without user authentication
github.comVery cool project and definitely a cool find.
Interestingly though, I do get a security dialog when this happens. There is an "always allow" option there, so perhaps I just never clicked that in the past.
Although I think the claim is a little misleading as I was presented a security dialog box when I ran the command in the script -- "security find-generic-password -ws 'iCloud' | awk {'print $1'}" -- I do think that the idea of "always allowing" access to some important part of your security is a broken model. They should at most allow for a short period of time in which the access is granted, after which the access is revoked, kind of like sudo. When I was presented with "Always Allow", "Deny" and "Allow" as my options, I can easily see how this could happen to someone who just clicks "Always Allow" because in their head they think, "Not this shit again, go away."
Is this zero-day? Was any of this submitted to Apple prior to release on github?
Yes, the author indicates he filed a report with Apple about one month ago, and hasn't received a response: https://twitter.com/bufferovernoah/status/795275327962484737
At first glance, this seems irresponsible from the part of the author. Contact Apple first and let them know, only release your repo if you don't get an answer, and make sure to let the world know in your README.md.
The engineers at Apple are just as human as you are.
I am not the author, but it looks like they added exactly this info 5 hours ago, possibly due to your comment (8 hours ago). Cheers
Thanks for the update!
Ouch! This looks really bad. If/when Apple fixes this it may require all 3rd-party software that accesses the keychain to be updated. However that's not for sure. We will have to wait and see.