UPDATED with response from Apple. Apple's new macOS 10.13 High Sierra is only a day old, and it's already been hacked. A rogue application or other service running on a Mac can easily break into. Juuso Salonen A software developer has released an open-source app for the Mac that, when run with administrator privileges, dumps all the passwords belonging to other people currently logged on to. Doing this, probably took me no more than 10 minutes and I got access so everything on the Mac. I would then also be able to reset the user’s password to log into there account, in which I could access Google Chrome’s password manager, and even the Keychain to access other passwords for emails and Facebook etc. As reported by Wired, in 2019, 18-year-old German security researcher Linus Henze demonstrated his hack, dubbed KeySteal, that grabs passwords from the Keychain. Initially he withheld details of the hack, demanding Apple set up a bug bounty for macOS. Apple had however not done so when Henze subsequently revealed the hack.
Mac® OS has a feature known as Keychain that stores all of the passwords you have used. By default, the keychain unlocks automatically when you log in.
Category: «Elcomsoft News», «General», «Security», «Software», «Tips & Tricks»
We have just released a brand new tool, and this time it’s not about mobile forensics. Or is it?
Elcomsoft Password Digger is designed for decrypting the content of Mac OS protected storage, the keychain. For one, it’s a Windows tool, so you’ll need to pull keychain files from the Mac OS system along with any decryption metadata (such as the key file for the system keychain or user’s password for decrypting the user keychain). After decrypting the keychain, we’ll export everything into an XML, and create a filtered plain-text file that only contains passwords (to be used as a pluggable dictionary in various password recovery tools).
So what is this all about?
Mac OS Keychain
It’s about passwords. This time around, we are targeting passwords Mac OS users keep in the Keychain. If you follow our blog, you’ve already head of iOS keychain. In iOS-powered devices such as iPhone and iPad, keychain is used to keep a lot of highly sensitive information. With every major iOS release, Apple seems to move more and more stuff under the umbrella of this encrypted storage.
Dealing with iOS keychains is extremely tough, as those are securely protected by strong, hardware-based encryption keys. When dealing with an iPhone, we can only access decrypted keychain via physical acquisition (jailbreak required, 32-bit devices only) or extract from a password-protected backup. Fortunately, keychain acquisition is much easier for computers running Apple’s desktop OS, Mac OS X.
According to various sources, approximately 4.9 to 6.5 of all desktop and laptop computers are running Mac OS X. The use of Mac OS is on the rise, with more Apple computers sold every year compared to other platforms. In Mac OS, the keychain plays the role of a system-wide, centralized password storage. It’s preinstalled on every system, it’s convenient and extremely simple to use, which makes it the tool of choice for most users. As a result, nearly every password a Mac OS user ever types ends up in the keychain.
What’s In There?
As already mentioned, nearly every password the user ever types ends up in the keychain. After just a few days of using the system, the user may’ve already typed the following passwords:
System Keychain
- Wi-Fi passwords
- User Keychain
- Apple ID password
- Password to iTunes backups
- AirPort and TimeCapsule passwords
- Passwords to Web sites and accounts
- VPN, RDP, FTP and SSH passwords
- Passwords to mail accounts including Gmail and Microsoft Exchange
- Passwords to social networks
- Passwords to network shares
- iWork document passwords
Hack Mac Keychain Download
That’s a lot of passwords in a single storage! Extracting them can surely help an investigation. However, there is one particular password that can help the most. And that is the user’s Apple ID password.
Apple ID Password: The Goldmine
If you manage to decrypt the keychain and discover the user’s Apple ID and password, you may have just found a goldmine. With Apple ID and password, you may be able to log in to the user’s Apple account to download and analyze over-the-air backups saved by all iOS devices registered to that account. This includes the user’s iPhone, iPad and iPod Touch devices. If you’re lucky and no two-factor authentication is present, you can simply use Elcomsoft Phone Breaker Forensic to download a clean, unencrypted backup that can be viewed in Elcomsoft Phone Viewer or analyzed in one of the many commercial forensic tools.
Building a Custom Dictionary
Another purpose of using Elcomsoft Password Digger is building a custom dictionary containing all of the user’s passwords. As you may know, many types of passwords are just too slow to brute force. For example, even if you use a high-end hardware accelerator, you can only try about 25,000 password combinations per second when attacking documents encrypted with Microsoft Office 2013. That’s not a lot, and rules out attacks on long, complex passwords – unless you have a good dictionary. And what could be more relevant for breaking a strong password than a dictionary containing that user’s other passwords? Elcomsoft Password Digger builds just that: a highly relevant dictionary that contains all passwords stored by the user in the Mac OS keychain.
Even if the dictionary attack doesn’t work right away, there are other helpful options available. By just looking at someone’s passwords you can get an idea on whether they reused a common password among multiple accounts, or had a specific pattern for memorizing their passwords. This information will help building a custom template or mask when performing a brute-force attack.
Using Apple Keychain Access
If you are using a Mac, you can get an idea of what sort of data is stored in the keychain. Just launch Keychain Access, a built-in tool available in every version of Mac OS, and you’ll see the list of passwords along with URLs (or application names), date and time, and other relevant information. When using Keychain Access, you’ll have to type your password every time when opening a new record, so using Keychain Access for an investigation is probably not the best idea.
Requirements to Extract Keychain Data
In order to use Elcomsoft Password Digger, you’ll need a Windows PC to run the tool, a set of keychain files extracted from the target Mac OS computer, and the user’s authentication information (Mac OS login and password or keychain password, if it’s different). For decrypting the system keychain, you’ll need a decryption key that must be extracted from the Mac OS computer (administrative privileges required).
System Keychain
- Keychain file extracted from the user’s Mac OS system
- Decryption key from the same system *
* The decryption key for system keychain must be extracted; administrative privileges are required if extracting from a live system
User Keychain
- Keychain file extracted from the user’s Mac OS system
- User’s local login password or keychain password (if different)
Obtaining Keychain Files
In order to decrypt the keychain with Elcomsoft Password Digger, the first thing you’ll need aside of the ElcomSoft tool is the keychain itself. In Mac OS, keychain is stored in several physical files. Yet another file holds the decryption key for the system keychain. You’ll need all of these in order to gain full access to encrypted information.
If you’re acquiring keychain files from a live Mac OS X system, do the following.
- Make a new folder on the desktop (e.g. “KEYCHAINS”).
- Open Terminal and issue the following command:cd Desktop/KEYCHAINS
- Copy the following files into the current folder ( “KEYCHAINS”):
cp /Users/<username>/Library/Keychains/login.keychain .
cp /Library/Keychains/System.keychain .
sudo cp /private/var/db/SystemKey .
Note that you need superuser access in order to extract SystemKey, a file that contains encryption metadata for decrypting system keychain. You’ll be prompted for apassword.Also note there is a final dot at the end of each “copy” command. This is not a formatting error; the dot means that the file is to be copied into the current folder (“KEYCHAINS” in our case).<user name> is the name of the user who’s keychain you are about to extract (currently logged in user is displayed before the “$” sign).
- Transfer the content of the “KEYCHAINS” folder to the Windows PC where you have Elcomsoft Password Digger installed. When Elcomsoft Password Digger prompts you for keychain location, point it to that folder.
If you have a disk image instead of the live system, extracting files is easier since you won’t need superuser access or admin password. Just mount the disk image and use your favorite file manager to copy the required files to your Windows computer.
Mounting the disk image is normally not a problem. If you’re dealing with a DMG image, Mac OS has built-in tools to mount it. If the disk image is in EnCase .E01 format, you’ll need to use third-party tools to mount the image.
Issues and Obstacles
The keychain is supposed to be secure, yet Elcomsoft Password Digger offers instant decryption. So is there something wrong with keychain security, or are we not telling something?
Well, in fact, there are certain obstacles that can make keychain acquisition and/or decryption difficult of impossible. If, for example, the disk is encrypted with FileVault2, we won’t be able to extract keychain files, so there will be nothing to decrypt.
Another potential issue is attempting to decrypt a user keychain with a missing password. Since Elcomsoft Password Digger requires a password to decrypt the keychain, there’s really nothing the tool can do if the password is not known. At this time, we are working to add the ability to break keychain passwords to Elcomsoft Distributed Password Recovery; we’ll post immediately when it’s ready.
It’s Getting Better
Elcomsoft Password Digger is still new. Version 1.0 can only accept keychain files copied from a Mac OS X system. This very moment we’re working on building a native Mac OS version of the tool, and adding two alternative ways to acquire keychains:
See the two greyed-out options? The native Mac OS tool will be able to extract keychain files automatically from the current system (if launched on the computer being investigated; administrative password required for extracting decryption key for the system keychain). Both Windows and Mac OS tools will be able to use an offline disk or mounted disk image to automatically locate and extract system and user keychains. The update will be free to those who purchase the initial edition.
Most of the time, your Mac just works and you don’t have to worry about any of the stuff that’s going on in the background. You just start it up, log in and get to work. Sometimes, however, there are signs that all is not well. They can range from minor irritations to major crashes. One of these apparently minor irritations, but something that is also a symptom of a bigger problem is the message “accountsd wants to use the login keychain” appearing repeatedly on-screen. In this article, we’ll tell you what accountsd is, why it keeps asking for access to the login keychain, and what you should do about it.
What is accountsd?
Accountsd is the Accounts database, part of the Accounts Framework, which starts login credentials for apps and services you use on your Mac. The Framework allows app developers to build access to accounts into their app, without them having access to your usernames and passwords. In order to work properly, the framework needs access to your login keychain, which manages usernames and passwords for accounts you use on your Mac.
Why does the message appear on my Mac?
When you first create a user account on your Mac, your login password and the password for your login keychain are in sync and systems that need to access the login keychain can do so when you’re logged in.
However, if your login password and keychain passwords become out of sync, those systems will have trouble accessing your keychain and will have to ask for permission. This can happen if you or an administrator on your Mac changes your login password. The message “accountsd wants to use the login keychain” is an indication that those passwords are out of sync.
Repair your disk permissions with a free tool! CleanMyMac X by MacPaw includes a tool that fixes broken disk permissions. A typical use case is when you can’t access a certain folder or your account permissions are out of sync. Get a free version of CleanMyMac X here.
How to fix the “accountsd wants to use the login keychain” message
As we said, above, the message appears because your login password and the password for your login keychain are out of sync. So you need to fix that.
- Navigate to Application>Utilities and double-click Keychain Access to launch it.
- Click on the Edit menu and choose Change password for keychain “login”
- If the keychain is locked, enter the previous user password for your account. If you entered the correct password, you should see a new window appear.
- Enter the previous password in the box labelled Current Password.
- Enter your current user password in the New Password field.
- Type in the new user password again in the Verify field.
That should synchronize the login keychain and user login passwords and you should no longer see the message.
Create a new login keychain
If it doesn’t work, the next step is to create a new login keychain. Don’t worry, macOS retains your old keychain and all of its passwords and account details, so you can copy them to the new keychain. When you create a new login keychain, it will be given the same password as your user account. Before you do that, you need to make a copy of your existing login keychain.
- In the Finder, click on the Go menu and choose Go to Folder.
- Type: ~/Library/Keychains
- Locate the login keychain and press the Alt/Option key and drag the file onto your Desktop.
- Click and hold on the name of the copied file on your Desktop, until the name is selected. Replace ‘login’ with a different name.
Now we’ll reset the default keychains
- Go to Applications>Utilities and launch Keychain Access.
- Click on the Keychain Access menu and choose Preferences.
- Press Reset My Default Keychains.
Keychain Access will now create new empty login and iCloud keychains, which will be given the same password as your user account.
Finally, add Keychain
- In Keychain Access, go to the File menu and choose Add Keychain.
- Navigate to the keychain file on your desktop and select it. Press Add
You’ll see the keychain appear in the list of keychains in the sidebar in Keychain Access, with all your logins and passwords in it. - To copy an item from the imported keychain to your new login keychain, right-click on it in the imported keychain and choose ‘Copy [name of item]’
- Click on the new default keychain, right click on the main window, and choose ‘Paste [name of item]’.
You’ll be asked to enter the keychain password, perhaps more than once. Type in the password of the keychain you are copying from.
You can’t copy items to the new iCloud Keychain, so there’s no point importing the old one. That keychain will be populated automatically when you sync with iCloud.
You only need to import your old login keychain and add its entries to the new one if you want to carry on using your Mac with the absolute minimum of disruption. If you use iCloud Keychain, most of your usernames and passwords will be stored in that and be automatically copied to the new iCloud keychain. For others, you will be asked to enter the username and password for accounts as and when required, and they will then be stored in the new login keychain. Adding the old keychain just provides an extra level of convenience and insurance in case you forgot the passwords.
If you don’t already use iCloud Keychain, here’s how to turn it on on your Mac.
- Click on the Apple menu and choose System Preferences.
- In newer versions of macOS, click on AppleID and then on iCloud.
- In older versions, select the iCloud pane in the main System Preferences window.
- Scroll down until you see ‘Keychain’.
- Check the box next to it.
- Quit System Preferences.
If you ever need to view a password stored in a keychain, say to paste it into an app, you can do that. Launch Keychain access and click on the keychain where the password is stored. Then double-click on the keychain item and check the box next to show password. Type in the password for the keychain and press Ok. Alternatively, to copy it to the clipboard, right-click or Control-click on the login item and choose ‘Copy password’.
Fix your accounts settings with CleanMyMac X
Hack Mac Keychain Free
Keeping passwords and user accounts secure by using keychains to store them is important in improving your privacy. But there are other ways you can do that, too. And CleanMyMac can help, by sweeping up the traces you leave behind as you use your Mac.
These traces include permissions you’ve granted to applications to use your camera, microphone, boot disk, built-in apps, or other parts of this system that are protected. They also include browser and download history, saved passwords, and autofill data for all the browsers installed on your Mac. And, importantly if you use a MacBook Pro or MacBook Air, they include the list of wi-fi networks you’ve connected to in the past. CleanMyMac X can revoke permissions and remove data at the press of a couple of buttons.
Hack Mac Keychain Password
Here’s how to use it.
- Download CleanMyMac X free version if you don’t already have it.
- Press scan
When it’s finished, you’ll see a list of things it has found, separated into categories, that could compromise your privacy. Review them one by one and check the box next to any that you want to remove.When you’re done, press Remove.
Clear up your internet-related items
The login keychain is a key tool used to protect your privacy by encrypting usernames and passwords for apps and services you use with your Mac. But there are other ways your privacy can be compromised. These include things as seemingly innocent as the list of apps you’ve opened recently, or websites you’ve visited, to permissions you’ve granted to apps, like access to your FaceTime camera, and wi-fi networks you’ve connected to in the past. It’s a good idea to audit this data regularly and delete what you no longer need. The simplest way to do that is to use the Recent Items List tool in CleanMyMac X.
Here is how it looks in action:
This clears up temporary details about:
- Recently accessed servers
- Recently launched applications
- Recently opened documents
Has it fixed the issue with accountsd? Apparently, the pop-up shouldn’t come up again.
Hack Mac Keychain Tool
As you can see, as well as the inconvenience of the ‘accountsd wants to use the login keychain’ message, there are a number of other issues you can run into with keychains. And many users find them confusing and daunting to manage. However, Keychain Access makes it quite easy, and by following the steps above you can get rid of the message and fix other keychain problems. And remember, CleanMyMac X can help protect your privacy in lots of ways, too.