Severe security hole in all MacOS versions. How to mitigate popups requesting admin passwords?

[LarTeROn]

MacOS seems to have a very poor design choice when it comes to password requests.

"Printtool is trying to modify the printer settings.", -> enter admin user and password.

"(App) is trying to request access to your keychain" -> enter admin user and password.

But there is nothing for the user to know for sure that this password request is legitimate! This is a gaping hole in MacOS. How can we mitigate this?

One way I can think of is to drag that window to the side of the screen because it will simply reappear if you try to cancel it. Then go and make the fix manually. So, how to do this in the case of keychain and printtool?

If you just typed in your password, admit it. I know I gave up a few times on this.

 

[Nermal]

But there is nothing for the user to know for sure that this password request is legitimate!

If it's in response to you trying to change system settings, then it'll be legitimate. If it pops up out of the blue, it won't be. Are other systems any different? I know Windows' UAC prompts work the same sort of way, but I'm not familiar with Linux.

 

[f54da]

>But there is nothing for the user to know for sure that this password request is legitimate! This is a gaping hole in MacOS.

Astutely noted.

Ovid’s myths of macOS: password entry dialogs and the death of Semele

Killed by Jupiter’s thunderbolts when she insisted he proved his identity, this myth is a reminder that making something more secure isn’t always a good answer.

eclecticlight.co

How to tell genuine password requests from fakes

Malware tries to trick you into providing it your password. How to recognise genuine requests from those fakes.

eclecticlight.co

IIRC it used to be the case that these popups were done by SecurityAgent process, so you could use AXApi to get the list of windows for that process and correlate it with the window you're seeing.

 

[bob_zz123]

Talk about overdramatic, "severe security hole", what a clickbait topic title. There's only so much that can be done though, you have to have a way of entering your password to perform the security operation. Perhaps we should suggest Apple adds a line of text: "This is a genuine request" (As if that could not be faked!!). UAC at least does that thing where it blurs the rest of the window although I am sure that malware could do that as well if it wanted to. I would say there probably isn't an easy solution that is also user friendly, give everyone an iPhone for free included in your Mac purchase and send a push notification to the phone to approve?

 

[organicCPU]

How can we mitigate this?

I hate the idea to get 2FA or similar obstacles for admin dialogs.

How business users handle it:
Never trust a computer, never trust a person, never use a computer, never deal with others, let someone else who is keen enough to give his credentials administer your computer, employ someone that is responsible to deal with others and dismiss him, if something went wrong.

How users responsible for themselves could handle it:

• Make at least two backups of all important data (keep at least one offline in a safe place) and start over with a fresh install, if you did the wrong click
• Don't install apps that you don't need or cannot trust
• Don't deal with people that you don't trust, never give them physical or remote access and never handout your devices to them
• Use just networks that you can trust and avoid public networks as far as possible
• Use security software that you trust (e.g. application and IP firewalls, malware and virus scanners)
• Spend some time to read manuals and configure your devices (routers, mobile phones, smartwatches, smart devices, etc.)
• Use search engines to gather more info before you press buttons (e.g. check dialog box texts, process and app names)
• Always be a bit distrustingly and wakeful and just click a link or a button if you expect that nothing can be wrong with it
• Stay away from any computer, if you are too tired or too distracted to follow at least those simple rules

 

[LarTeROn]

Talk about overdramatic, "severe security hole", what a clickbait topic title. There's only so much that can be done though, you have to have a way of entering your password to perform the security operation. Perhaps we should suggest Apple adds a line of text: "This is a genuine request" (As if that could not be faked!!). UAC at least does that thing where it blurs the rest of the window although I am sure that malware could do that as well if it wanted to. I would say there probably isn't an easy solution that is also user friendly, give everyone an iPhone for free included in your Mac purchase and send a push notification to the phone to approve?

edit: Possibly part of the reason why I see this as worse than you might be that you have touchID, whereas my system doesn't have that. So maybe you get a slightly different dialogue, and it's not so bad.

If allowing hardware solutions, then there is an easy improvement, which is to at least give feedback that only a secure element can give. For example, on Android phones there's a warning that pops up with a hash of the bootloader when you boot a custom ROM. That hash could be displayed on a separate screen that only the secure element has access to.

Likewise, the O/S could at least flash the keyboard, touch ID or anything that only a secure element can access when it is making a request and reserve an area of the screen that can't be obscured by a user level process.

Thanks for mentioning UAC blurring the rest of the screen. I'd got used to that and other o/s actions, so when I first encountered these popups I immediately balked at it. I can see that's the reason why.

f it's in response to you trying to change system settings, then it'll be legitimate. If it pops up out of the blue, it won't be. Are other systems any different? I know Windows' UAC prompts work the same sort of way, but I'm not familiar with Linux.

My wife's laptop pops the printer process dialogue out of the blue. We don't know what to do about that. My system only throws the popups on first boot. I need to know how to avoid those too.

IIRC it used to be the case that these popups were done by SecurityAgent process, so you could use AXApi to get the list of windows for that process and correlate it with the window you're seeing.

I looked into it and apparently malware can spoof window titles, so I'm not sure it works? Good to see something like this though. Even if it's not infallible, an extra check would be enough for me.

 

[f54da]

>I looked into it and apparently malware can spoof window titles

Sure they can spoof titles, but that has no bearing on what I mentioned - you ask the system what windows the SecurityAgent process currently owns, and see if the coordinates of that window matches that of the popup under suspicion. Accessibility Inspector pretty much does this something similar for you, so you should be able to use that to tell you which process created a given window.

 

[LarTeROn]

>I looked into it and apparently malware can spoof window titles

Sure they can spoof titles, but that has no bearing on what I mentioned - you ask the system what windows the SecurityAgent process currently owns, and see if the coordinates of that window matches that of the popup under suspicion. Accessibility Inspector pretty much does this something similar for you, so you should be able to use that to tell you which process created a given window.

Thanks This is a solution. I now need to make it easy enough for my wife to follow. Suprisingly, there's no consumer tool to help with this.
There's a few suggestions here:

How to identify which process is running which window in Mac OS X?

I’d like to know if it is possible to identify which process is responsible for creating/managing a window in Mac OS X. For example, when multiple instances of an application are started, how can...

superuser.com

1) a python script. cons: might need fighting dependancies, venv etc. If I get it working, I'll try to package it
2) xcode accessibility inspector. cons: I'll download the gigabytes when I next get access to fast wifi
3) just tab on the window and watch CPU usage in activity monitor. cons: maybe it's not reliable pros: even my wife can learn this.

That said, I think we should have a tool to help with this.
Thanks again. Most useful reply

 

[galad]

Anyone can blur the screen and recreate the UAC pixel per pixel.

 

[f54da]

>2) xcode accessibility inspector. cons: I'll download the gigabytes when I next get access to fast wifi

Theoretically you don't need the entire xcode application for accessibility inspector, if you have another machine you could copy over just accessibility inspector.app. Using accessibility inspector is probably the easiest solution out of those three you mentioned.


>Anyone can blur the screen and recreate the UAC pixel per pixel.

This is true. Windows NT actually had a genius solution to this whole ordeal. There's actually a deeper reason why they had you press control-alt-delete every login, it's a form of a conditioned-safe ceremony. See the paper https://people.eecs.berkeley.edu/~daw/papers/condsafe-ndss09.pdf


>One previous application of software-based forcing functions in computer security is the concept of a secure attention key (SAK). A SAK is a mandatory special key combination users must type before they can take a securitycritical action, e.g., submitting their password. On Window NT systems, users must type Control-Alt-Delete to get a login prompt. The SAK diverts control to the OS kernel, foiling any user-level spoofed login prompts. Since typing the SAK is mandatory, the hope is that users will learn to always enter the SAK before submitting their password.

I don't know why they never extended this to UAC...