Devastating Xara Exploit Targets OS X Keychain, Exposes User Passwords

"Xara" might sound like a cool name for an exploit, but according to researchers at three different US universities, it's one that should cause some alarm. At its root, if Xara is properly exploited, attackers would be able to procure passwords stored in OS X's Keychain, which could be used for most or all of someone's applications.

Specific details are not covered, but it seems that if an app is installed on OS X that takes advantage of this exploit, it can take control of the stored passwords, and other information that might be present (eg: the login username itself). Examples given are hijacking the passwords in Google Chrome, Evernote, WeChat, Facebook, and iCloud.

OSX Keychain

The researchers were successful in exploiting this vulnerability, noting that they were able to hijack both Facebook and iCloud passwords. The ultimate problem is that OS X doesn't verify which application owns which credential set in Keychain, and likewise, there's no mechanism in place to check if saving a credential to another app's keychain is suspicious.

This all sounds horrible, but there is an upside. In order for this exploit to actually gain anything useful, those passwords would have had to have been stored after another application was installed that triggered the exploit. That means that it's highly unlikely that many (or anyone) has fallen prey to this exploit yet, but this is still a major bug that Apple will want to waste little time in patching up.