Latest MacOS Keychain Vulnerabilty Discovered
I haven’t actually looked into the researchers further explanations, but there was this story (https://thehackernews.com/2017/09/macos-high-sierra-keychain.html?m=1) about a newly discovered vulnerability in the MacOS Keychain. I’m wondering if this affects 1Password users who use TouchID on MacBook Pros since the credentials for unlocking 1P are stored in the Keychain in some form. The news clips would suggest the 1P master password could be compromised. Is that correct?
Thanks for all your work team!
Comments
-
@dsjr2006: When you use Touch ID with 1Password, your Master Password is not stored in the Keychain in plaintext. However, it's certainly possible that someone with access to your Keychain (whether thanks to a vulnerability or because you're sharing a user account) could capture the obfuscated secret which is stored there, decipher it, and potentially use it to access your data. So I'd definitely recommend keeping that in mind until Apple is able to patch this (which I'd bet is high on their priority list), and also any time you install 3rd party software or allow someone else access to your system. After all, it's likely that other vulnerabilities will be found in the future, and giving anyone a foothold is risky regardless.
0 -
That answers my question. Thanks for the quick response!
0 -
You're totally welcome! We're here if you have any others. Always good to stay ahead of this stuff where we can. :)
0