Stored passwords in Apple software might not be secure

Apple claims that its “Keychain” software lets people securely store their passwords on their Macs. As it turns out, hackers can pull the keys off the chain.

A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps. That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything.

Researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them.

Apple did not respond with a comment on Tuesday.

The research team said it went public with its findings on Tuesday, because Apple took too long to fix it. They initially notified the company in October. Apple tweaked its operating system in January, they said, but the supposed fix didn’t actually solve the problem.

Fast-forward to June, and there’s still no solution.

A person with knowledge of Apple’s security policies said the company was partly caught by surprise with the sudden publication of this report, since Apple had been communicating with the researchers.

The researchers might pay for their adventure. Apple typically revokes developer credentials for anyone who slips malware into the App Store — even for security research. Renowned security researcher Charlie Miller got a one-year suspension from the App Store in 2011 for that very reason.