Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani -- two of the team behind the myki identity management security software -- found that a series of terminal commands can be used to extract a range of stored credentials.

What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute.

Special-crafted commands can be triggered by malware -- or even an image or video -- which causes OS X to display a prompt to click an Allow button. But rather than relying on users clicking on a button that appears unexpectedly, the button is displayed very briefly off the edge of the screen or behind the dock, and is automatically pressed using a further command. It is then possible to intercept a user's password and send it to the attacker via SMS or any other means.

The entire process takes less than a second to complete, and is stealthy enough to bypass many, if not all, security products. In an email to CSO, Jebara said:

We disclosed, because we feel that it is the right thing to do, knowing that a vulnerability of this magnitude would have disastrous consequences (you wouldn’t be able to open any third-party file on your computer without the risk of losing all of your sensitive information until Apple issues a patch). But this doesn’t prevent us from going public either. The vulnerability is extremely critical. It allows anyone to steal all of your passwords remotely by simply downloading a file that doesn’t look malicious, and can’t be detected by malware detectors - as it doesn’t behave the way malware usually does.

There are a number of possible attack vectors that could be exploited, including sending a malicious file via email, displaying a malicious file in a web browser, or a P2P attack. Jebara has posted a video that shows brokenchain in action as a proof-of-concept:

Apple has been told about the vulnerability. The company has not only failed to issue a fix yet, but has not even responded to Jebara and Rahbani.

Photo credit: April909 / Shutterstock