ALL of my logins and passwords available on two family member's devices. WTF Apple?!

[Silverstring]

<shrug> People can put their heads in the sand about that all they like, and whine about what Apple (and Google) do or plan to do. I fail to understand why fools continue to expect privacy on systems they do not control.

Do you like iCloud or other Apple services? Use them? Have an axe to grind with them? I can't tell.

While Apple's services history/rep isn't great and I'm not claiming it is, Family sharing works for me without sharing my entire keychain. Has since the feature was introduced. Obviously, it is broken for others. If it broke for me in this particular way, I would also turn it off...but I would also explore all my options that could close the security hole while enjoying the functionality I had.

I imagine that the OP and others that came here for help are interested in how they might be able to get from their broken state to the happily working state that myself and others seem to be enjoying. They want to use Family Sharing and keychain together without leaking credentials, which is obviously possible.

I fail to understand how you think it's helpful or constructive to tell those experiencing issues just to use something else (well, that and a couple of unnecessary pejoratives). Everyone has a different risk calculus. Just because one might seemingly believe that Apple's services will always be irretrievably and hopelessly broken on an infinite timescale, it's not a unavoidable certainty. Again, keychain and family sharing work for some without this specific issue, so why shouldn't others try troubleshooting it, in case it's an edge case that can be avoided/rectified? Would you tell someone who was trying to fix a current flat to just buy a car with better tires, and they made a mistake getting the car they have and should have never considered it?

Tell me, if the presumably rock-solid, privacy-preserving system(s) you use broke down, would you try to track down the cause and try to address it, or would you just think "Forever Compromised!" and immediately move on to the next thing?

Just like your system has the potential to break, Apple services have the potential to work. You personally don't want to risk it? I support you doing you! Going around telling people that their approach is fundamentally wrong instead seems like wasted energy. As is spending your time reading "fools" "whining".

 

[posguy99]

Do you like iCloud or other Apple services? Use them? Have an axe to grind with them? I can't tell.

I certainly don't use iCloud Drive, iCloud Contacts, iCloud Calendar, etc, for anything I care about. Been there, done that, experienced the data loss. Repeatedly. Why continue to touch the fire repeatedy only to be burned again?

I fail to understand how you think it's helpful or constructive to tell those experiencing issues just to use something else (well, that and a couple of unnecessary pejoratives).

And *I* fail to understand why the same metric people apply in other parts of their life suddenly don't apply when Apple is mentioned in the same sentence. Thing A does not work. Thing B does work. So by all means, continue to use Thing A. Why? So you can complain about it? I have better things to do.

Everyone has a different risk calculus. Just because one might seemingly believe that Apple's services will always be irretrievably and hopelessly broken on an infinite timescale, it's not a unavoidable certainty.

Certainly it is not. To date, however, Apple has not demonstrated competency. Again, I have better things to do than grab the hot poker again and see if it burns me.

Tell me, if the presumably rock-solid, privacy-preserving system(s) you use broke down, would you try to track down the cause and try to address it, or would you just think "Forever Compromised!" and immediately move on to the next thing?

If I don't control that system, the only assumption to make is that it is not private. Therefore, an intelligent evaluation of exactly what information to place there needs to be made.

 

[Silverstring]

I certainly don't use iCloud Drive, iCloud Contacts, iCloud Calendar, etc, for anything I care about. Been there, done that, experienced the data loss. Repeatedly. Why continue to touch the fire repeatedy only to be burned again?

Sorry about your data loss. Not everyone has been burned. I've been with .Mac (then MobileMe, then iCloud) since the early 2000s, and have never lost any data.

Which one of our anecdotal experiences are definitive?

And *I* fail to understand why the same metric people apply in other parts of their life suddenly don't apply when Apple is mentioned in the same sentence.

You're making a big assumption here, and projecting. One, you don't know that it's Apple being involved that's the determinant here. Two, it isn't so black and white, no matter how you paint the picture.

People invest in ecosystems and are thus inclined to try and keep those systems working. Sure, if my toaster breaks, I throw it out and get a new one, as they're essentially commodity products. Not so simple to just switch to a different tech stack/ecosystem. Even if it were, why come down on people for exploring their options, just because your personal experiences were negative?

Thing A does not work. Thing B does work. So by all means, continue to use Thing A. Why?

Because "not working" isn't a permanent and irrevocable state in all cases, is it?

Thing A worked for me (and many others), it's unfortunate that it didn't/doesn't for you (and many others).

Besides, this is a thread about trying to determine the cause of this error, and potentially how to address it. Not about anyones personal history with a product.

I'm not seeing any posts that say "Hey, nasty + huge bug/error/oversight on Apple's part...but whatever, I'm good with it!"

What I am seeing is "Thing A has broken has broken down here, does any one know how to get Thing A to a working state again?"

It's not continuing to use Thing A in spite of its possibly temporary broken state, but you're conflating the two.

So you can complain about it? I have better things to do.

Are you referring to reading threads that annoy you about services you don't use and complaining about complaints?

Certainly it is not. To date, however, Apple has not demonstrated competency. Again, I have better things to do than grab the hot poker again and see if it burns me.

Has not "demonstrated competency" to all. Sure, people can be burned and have been, and that is unfortunate. Still, for many of us, there's no fear of grabbing the poker, because the poker hasn't burned us before, and isn't even glowing.

No matter what personal system(s) you use, I'd bet it isn't 1 of 1 in the universe. Others have used the exact same setup as you, and have their own stories of being burned by it. Any system only works until it doesn't.

If I don't control that system, the only assumption to make is that it is not private. Therefore, an intelligent evaluation of exactly what information to place there needs to be made.

Of course, but "privacy" as a general concept isn't what's being discussed in this thread. People are trying to resolve a specific error condition, and you're telling them to throw the baby out with the bathwater as if the entire system is inherently compromised. You might perceive it that way because of your personal experiences, but those experiences themselves depended on variables that all posters in this thread don't share.

Your experience of catastrophe is no more or less valid than mine of flawlessness, but you're seemingly framing your anecdotal experience as the one true way by appealing to extremes. That's more perplexing that not being able to grasp that people have previously had positive experiences they want to see continue.

 

[Quackers]

Do you like iCloud or other Apple services? Use them? Have an axe to grind with them? I can't tell.

While Apple's services history/rep isn't great and I'm not claiming it is, Family sharing works for me without sharing my entire keychain. Has since the feature was introduced. Obviously, it is broken for others. If it broke for me in this particular way, I would also turn it off...but I would also explore all my options that could close the security hole while enjoying the functionality I had.

I imagine that the OP and others that came here for help are interested in how they might be able to get from their broken state to the happily working state that myself and others seem to be enjoying. They want to use Family Sharing and keychain together without leaking credentials, which is obviously possible.

I fail to understand how you think it's helpful or constructive to tell those experiencing issues just to use something else (well, that and a couple of unnecessary pejoratives). Everyone has a different risk calculus. Just because one might seemingly believe that Apple's services will always be irretrievably and hopelessly broken on an infinite timescale, it's not a unavoidable certainty. Again, keychain and family sharing work for some without this specific issue, so why shouldn't others try troubleshooting it, in case it's an edge case that can be avoided/rectified? Would you tell someone who was trying to fix a current flat to just buy a car with better tires, and they made a mistake getting the car they have and should have never considered it?

Tell me, if the presumably rock-solid, privacy-preserving system(s) you use broke down, would you try to track down the cause and try to address it, or would you just think "Forever Compromised!" and immediately move on to the next thing?

Just like your system has the potential to break, Apple services have the potential to work. You personally don't want to risk it? I support you doing you! Going around telling people that their approach is fundamentally wrong instead seems like wasted energy. As is spending your time reading "fools" "whining".

Sorry about your data loss. Not everyone has been burned. I've been with .Mac (then MobileMe, then iCloud) since the early 2000s, and have never lost any data.

Which one of our anecdotal experiences are definitive?

You're making a big assumption here, and projecting. One, you don't know that it's Apple being involved that's the determinant here. Two, it isn't so black and white, no matter how you paint the picture.

People invest in ecosystems and are thus inclined to try and keep those systems working. Sure, if my toaster breaks, I throw it out and get a new one, as they're essentially commodity products. Not so simple to just switch to a different tech stack/ecosystem. Even if it were, why come down on people for exploring their options, just because your personal experiences were negative?


Because "not working" isn't a permanent and irrevocable state in all cases, is it?

Thing A worked for me (and many others), it's unfortunate that it didn't/doesn't for you (and many others).

Besides, this is a thread about trying to determine the cause of this error, and potentially how to address it. Not about anyones personal history with a product.

I'm not seeing any posts that say "Hey, nasty + huge bug/error/oversight on Apple's part...but whatever, I'm good with it!"

What I am seeing is "Thing A has broken has broken down here, does any one know how to get Thing A to a working state again?"

It's not continuing to use Thing A in spite of its possibly temporary broken state, but you're conflating the two.




Are you referring to reading threads that annoy you about services you don't use and complaining about complaints?



Has not "demonstrated competency" to all. Sure, people can be burned and have been, and that is unfortunate. Still, for many of us, there's no fear of grabbing the poker, because the poker hasn't burned us before, and isn't even glowing.

No matter what personal system(s) you use, I'd bet it isn't 1 of 1 in the universe. Others have used the exact same setup as you, and have their own stories of being burned by it. Any system only works until it doesn't.


Of course, but "privacy" as a general concept isn't what's being discussed in this thread. People are trying to resolve a specific error condition, and you're telling them to throw the baby out with the bathwater as if the entire system is inherently compromised. You might perceive it that way because of your personal experiences, but those experiences themselves depended on variables that all posters in this thread don't share.

Your experience of catastrophe is no more or less valid than mine of flawlessness, but you're seemingly framing your anecdotal experience as the one true way by appealing to extremes. That's more perplexing that not being able to grasp that people have previously had positive experiences they want to see continue.

Ah, some sense!

 

[jordangrant]

This was a shocking issue to experience. Setting up my brother's new MBP 16 and boom, Safari is showing MY password on a site to autofill.

I check the passwords list and all of them are there, both of ours mixed together.

We have Family Sharing + Apple One. What a huge security breach. So so so bad. Signed up for MacRumors just to post this and was asked to add the PW to keychain to add insult to injury.

 

[Ifti]

Ive been using Family Sharing for years - I only use it to monitor screentime to be fair, and for Find My, but I have never come across a password sharing issue - didnt even know it was an issue until I came across this thread.....

 

[jordangrant]

If I were to guess, I’d say the culprit is iCloud+ Family sharing (Since Keychain lives in iCloud) We only started iCloud storage sharing when Apple One was released, and that roughly coincides with when my brother noticed this. Just a guess.

 

[960design]

Ive been using Family Sharing for years - I only use it to monitor screentime to be fair, and for Find My, but I have never come across a password sharing issue - didnt even know it was an issue until I came across this thread.....

I'm with you.
I admin many Apple devices and have not seen this issue.
My family uses family sharing on probably 20 something Apple devices and no issues.

Technically, I want to know what is causing this, but have not been able to reproduce.
As a security audit, I created 1000 AppleIDs and attempted to duplicate the issue with no success across devices.
I was able to save passwords across browser logins. These would prompt to be saved to keychain of the currently logged in device user ( not matching browser login ). But, even this did not allow cross contamination of Apple accounts.
Without a doubt, this would be most concerning if it happened to me.

Bias Note:
It looks like this issue is being seen only by newly registered MacRumors users. Has any one of the one million longer term MacRumors members seen this issue?

 

[jordangrant]

I spoke to Apple support on the phone. She listened to the issue and one of her suspicions was merging Keychain due to device sharing.

In my situation my brother had a user account on my MacBook before his new one. So, possible.

She mentioned if you keep data on your MacBook after signing out, when another user logs in to Apple ID, and then it’s synced it could inadvertently merge. Something like that.

@960design it’s real! Not huge deal for me but some affected for sure. trust me, I’m an engineer (lol)

 

[jordangrant]

Check this out y’all
You’ll notice it’s not every password but a chunk of them. MetricOptimizedGating is a 2014 GitHub password. But windowshoppermobile GitHub didn’t carry over. My phone plan is on his keychain there at the top. I cannot make this up

Check my moms device today and she didn’t have any of our passwords in her keychain. Maybe the merge is device cross contamination. I couldn’t tell you

 

[Quackers]

Bias Note:
It looks like this issue is being seen only by newly registered MacRumors users. Has any one of the one million longer term MacRumors members seen this issue?

I've been here since 2013 and have used one or two Macs and iphones in my time and it happened to me and my sister's appleid/keychain after sharing a few books using Family Sharing.

 

[Ifti]

Is this linked to Apple One in any way??
Are all users seeing this issue subscribed to Apple One?

 

[JonaM]

One question for those experiencing this and wanting to find the cause-
If you change a password on your device that is only logged in to your Apple ID, does the password also change on the other person's device?
I'm wondering if this was one-off on-device merge at some point where the contents of person A's keychain got added to person B's or if they are actually sharing an ongoing keychain.

 

[throAU]

Which browser?

 

[MajorFubar]

The key to solving this (pardon the unintended pun) is why isn't this a problem for everyone using keychain and family sharing? Why does it only affect certain users? That will be why it hasn't been patched by Apple: probably they cannot replicate the issue. I've used family sharing literally since launch day, so long ago I'd have to Google when that was, and neither my two sons nor my wife can see mine nor each others' passwords. We all have Macs, iPads and iPhones and all three of them use my 2TB iCloud+ plan as family members.

 

[JonaM]

The key to solving this (pardon the unintended pun) is why isn't this a problem for everyone using keychain and family sharing? Why does it only affect certain users? That will be why it hasn't been patched by Apple: probably they cannot replicate the issue. I've used family sharing literally since launch day, so long ago I'd have to Google when that was, and neither my two sons nor my wife can see mine nor each others' passwords. We all have Macs, iPads and iPhones and all three of them use my 2TB iCloud+ plan as family members.

Agreed - a common factor seems to be both users logging on to the same device in quick succession as part of setting it up, so I do wonder if the local keychain is being set up by the first user when they sign in to help set up the device and then when the long-term user signs on the local keychain with the other user's password now in is the default keychain so is then merged with the second user's keychain when they sign in.

 

[960design]

I've been here since 2013 and have used one or two Macs and iphones in my time and it happened to me and my sister's appleid/keychain after sharing a few books using Family Sharing.

This! Thank you. I will try iterations of this.

Bear with me here:
I do know that if I sign out of an account, then sign in using another account with access to let's say "Angry Birds" and download it, then sign out of the "Angry Bird" account holder and sign back in using the original account, "Angry Birds" will stay on the device but not be able to update without the "Angry Bird" account owners original password. I do not think this is what is happening, but maybe something along the sharing explicitly lines.

 

[Runs For Fun]

I'm with you.
I admin many Apple devices and have not seen this issue.
My family uses family sharing on probably 20 something Apple devices and no issues.

Technically, I want to know what is causing this, but have not been able to reproduce.
As a security audit, I created 1000 AppleIDs and attempted to duplicate the issue with no success across devices.
I was able to save passwords across browser logins. These would prompt to be saved to keychain of the currently logged in device user ( not matching browser login ). But, even this did not allow cross contamination of Apple accounts.
Without a doubt, this would be most concerning if it happened to me.

Bias Note:
It looks like this issue is being seen only by newly registered MacRumors users. Has any one of the one million longer term MacRumors members seen this issue?

I also have Family Sharing set up with shared iCloud storage etc. and do not have this problem.

This! Thank you. I will try iterations of this.

Bear with me here:
I do know that if I sign out of an account, then sign in using another account with access to let's say "Angry Birds" and download it, then sign out of the "Angry Bird" account holder and sign back in using the original account, "Angry Birds" will stay on the device but not be able to update without the "Angry Bird" account owners original password. I do not think this is what is happening, but maybe something along the sharing explicitly lines.

That's something I haven't thought of. I wonder if anyone seeing this has installed an app on a family member's device using their Apple ID.

 

[jordangrant]

NEW DEVELOPMENT: all my passwords on my brother’s keychain say last modified on the same day: 2020-09-17

I going to try and figure out what happened that day..

 

[BigMcGuire]

View attachment 1924573 NEW DEVELOPMENT: all my passwords on my brother’s keychain say last modified on the same day: 2020-09-17

I going to try and figure out what happened that day..

Thanks for sharing - this is most interesting - good luck finding out!

 

[Quackers]

Is this linked to Apple One in any way??
Are all users seeing this issue subscribed to Apple One?

Neither me or my sister has used Apple One, so not connected to that in our case.

Which browser?

Safari

 

[Quackers]

Agreed - a common factor seems to be both users logging on to the same device in quick succession as part of setting it up, so I do wonder if the local keychain is being set up by the first user when they sign in to help set up the device and then when the long-term user signs on the local keychain with the other user's password now in is the default keychain so is then merged with the second user's keychain when they sign in.

I seem to remember setting up my sister's new ipad using my appleid originally. I'm not 100% but that could be around the time that all of this started.
After signing out the ipad was then used by my sister using her own appleid though it was some time later when that happened.
So yes, it seems likely that this could be connected.

 

[funwithstuff]

It's an uncommon glitch — I've had a similar issue and resolved it after several calls to Apple support. My daughter's Apple ID and my Apple ID became confused at one point, resulting in HomeKit and Screen Time not working as they should have. Support eventually figured out that the two accounts shared an (invisible) ID and were in some cases being treated as the same. Keychain passwords will be shared in the same way.

Call Apple, explain what's happened, and hopefully they'll be able to figure this out. The fix involves a bit of logging out and in on all devices, and a special Apple-provided profile to make sure the IDs aren't the same. Nobody lost any data, and things are generally back to normal, but it's not something I could fix alone.

 

[EedyBeedyBeeps]

NEW DEVELOPMENT: all my passwords on my brother’s keychain say last modified on the same day: 2020-09-17

I going to try and figure out what happened that day..

iOS 14 was released on September 16, 2020. Did you or your brother happen to update to iOS 14 on the 17th, the day after iOS 14 was released last year?

In my keychain, the last-modified date on many of the passwords is September 16, 2020, coinciding with the date I installed iOS 14. (It's possible I changed a bunch of passwords that day, though, I guess?)

Does this mean that the last-modified date of any given password could be an iOS 14 installation date and not necessarily related to the date the keychains became "cross-contaminated"? I don't know much about keychain stuff.

I don't have family members' passwords showing up randomly in my keychain, as far as I know. I do have family-sharing turned on, wherein I'm the Organizer. I don't have iCloud+ or Apple One.

 

[jordangrant]

iOS 14 was released on September 16, 2020. Did you or your brother happen to update to iOS 14 on the 17th, the day after iOS 14 was released last year?

In my keychain, the last-modified date on many of the passwords is September 16, 2020, coinciding with the date I installed iOS 14. (It's possible I changed a bunch of passwords that day, though, I guess?)

Does this mean that the last-modified date of any given password could be an iOS 14 installation date and not necessarily related to the date the keychains became "cross-contaminated"? I don't know much about keychain stuff.

I don't have family members' passwords showing up randomly in my keychain, as far as I know. I do have family-sharing turned on, wherein I'm the Organizer. I don't have iCloud+ or Apple One.

It’s further possible that I had the developer beta in June, and he got iOS 14 later in September.. so probably not related then. Darn