科技回声

Very cool project and definitely a cool find.<p>Interestingly though, I do get a security dialog when this happens. There is an "always allow" option there, so perhaps I just never clicked that in the past.

Although I think the claim is a little misleading as I was presented a security dialog box when I ran the command in the script -- "security find-generic-password -ws 'iCloud' | awk {'print $1'}" -- I do think that the idea of "always allowing" access to some important part of your security is a broken model. They should at most allow for a short period of time in which the access is granted, after which the access is revoked, kind of like sudo. When I was presented with "Always Allow", "Deny" and "Allow" as my options, I can easily see how this could happen to someone who just clicks "Always Allow" because in their head they think, "Not this shit again, go away."

Is this zero-day? Was any of this submitted to Apple prior to release on github?

At first glance, this seems irresponsible from the part of the author. Contact Apple first and let them know, only release your repo if you don't get an answer, and make sure to let the world know in your README.md.<p>The engineers at Apple are just as human as you are.

Ouch! This looks really bad. If/when Apple fixes this it may require all 3rd-party software that accesses the keychain to be updated. However that's not for sure. We will have to wait and see.

Is this zero-day? Was any of this submitted to Apple prior to release on github?

Ouch! This looks really bad. If/when Apple fixes this it may require all 3rd-party software that accesses the keychain to be updated. However that's not for sure. We will have to wait and see.

Decrypt all authorization tokens on macOS without user authentication

5 条评论

Decrypt all authorization tokens on macOS without user authentication

5 条评论