undefined | Better HN

0 pointselmigranto9y ago0 comments

> My point is that they can't do more damage then regular applications you run on your mac.

Well, they can autoconfirm Keychain prompts with simulated keyboard events (and access all the keychain data in general), for one. This is something non-accessibility apps can't do after some update.

Keylogger can't steal your password, if it's in keychain, even though it knows your root password. But I guess now it'll add itself into accessibility, so… waiting for Sierra :)

0 comments

2 comments · 1 top-level

bahoom9y ago· 1 in thread

> Well, they can autoconfirm Keychain prompts with simulated keyboard events (and access all the keychain data in general), for one. This is something non-accessibility apps can't do after some update.

Simulating keyboard (and mouse) events is easily possible for non-accessibility apps (CoreGraphics CGEvent api). In fact, AXUIElementPostKeyboardEvent is just a simple wrapper around CGPostKeyboardEvent.

elmigrantoOP9y ago

It is, but OS X won't accept it and will not unlock Keychain item, unless all the apps that do this are in Accessibility. So if there is an app that uses those APIs but not in Accessibility, even you yourself won't be able to copy anything password-protected from Keychain.

https://support.apple.com/en-us/HT205375

  SecurityAgent
  Available for: OS X El Capitan 10.11

  Impact: A malicious application can programmatically control keychain access prompts

  Description: A method existed for applications to create synthetic clicks on keychain prompts. This was addressed by disabling synthetic clicks for keychain access windows.

  CVE-ID
  CVE-2015-5943

j / k navigate · click thread line to collapse