Please review the Community Note before submitting
Is this something in scope of trufflehog?
Description
Some tools store credentials in macOS Keychain in an unsafe way by using the security tool. This allows any other process to read this credential without any user prompt.
Create a secret:
security add-generic-password \
-a "test-account" \
-s "trufflehog-test-service" \
-w "super-secret-value" \
-UEnumerate secrets readable by security (takes a long time):
security dump-keychain -a | less
# search for /usr/bin/security
Read the secret:
security find-generic-password -a test-account -g
# ...
# password: "super-secret-value"
Preferred Solution
Ideally a new trufflehog source:
- Enumerate all unlocked macOS keychains.
- Enumerate all readable secrets in each keychain.
- Read each secret and pass it further down the pipeline.
Additional Context
None.
References
None.
Please review the Community Note before submitting
Is this something in scope of trufflehog?
Description
Some tools store credentials in macOS Keychain in an unsafe way by using the
securitytool. This allows any other process to read this credential without any user prompt.Create a secret:
security add-generic-password \ -a "test-account" \ -s "trufflehog-test-service" \ -w "super-secret-value" \ -UEnumerate secrets readable by
security(takes a long time):Read the secret:
Preferred Solution
Ideally a new trufflehog source:
Additional Context
None.
References
None.