[Cryptography] Security weakness in iCloud keychain
Ron Garret
ron at flownet.com
Fri May 4 02:35:59 EDT 2018
On May 3, 2018, at 5:37 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> On Thu, May 3, 2018 at 7:38 AM, Kent Borg <kentborg at borg.org> wrote:
> Sounds like they built a very complex system and in that either they messed up, or it is confusing enough that the user (you) messed up
>
> Ron, I'd recommend seeing if you can replicate this bug, preferably with a new test account and a couple of devices you don't mind wiping afterwards. This might be a bug they've fixed already.
I actually tried that today and got some ambiguous results.
I turned off iCloud keychain on the iPod. As noted earlier, it offered to delete all the stored passwords, and offer which I accepted, but it didn’t actually work. So I manually deleted all the passwords. This took a long time. The settings app crashed several times, and I had to delete in small batches to avoid this.
Then I turned iCloud keychain back on. Two passwords re-appeared. Unfortunately, they were two extremely sensitive ones!
I tried two or three times to delete these rogue passwords, and on the last attempt they stayed gone.
Further investigation will have to wait until I can set up a new Mac with no sensitive information on it. I don’t dare turn on iCloud keychain on a machine that has passwords that I actually care about.
rg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180503/018c881d/attachment.html>
More information about the cryptography
mailing list