Safari duplicates keychain items from self-created keychain into Local Items keychain

Originator:sbwoodside
Number:rdar://27292827 Date Originated:11-Jul-2016
Status:Open Resolved:
Product:OS X Product Version:
Classification: Reproducible:Yes
 
Summary:
I have created a separate keychain called "bank" to store my sensitive financial account passwords. I have done this to increase my security, since with this separate keychain I can use a different keychain password and set it to lock automatically after 5 minutes.

When I go to my bank website, Safari requests that I unlock the keychain. If I allow this, then Safari copies the keychain item from "bank" to "login", thus eliminating the security benefit.

Steps to Reproduce:
1. Open Keychain Access
2. Create a new keychain called "bank" with a unique password.
3. "New Password Item..." and enter the following:
   Keychain Item Name: https://www1.royalbank.com
   Account Name: [your bank card]
   Password: [your banking #]
   Note that I can reproduce this with RBC, CIBC, and Wells Fargo in the USA.
4. http://www.rbc.com/canada.html and click "Sign In"
5. A prompt appears to enter the password for the "bank" keychain. Enter it.
6. A prompt appears asking for permission to give Safari access to the password. Click "Always Allow".
7. In Keychain, search for "royal" and note that the password has not yet been duplicated.
8. Click "Sign In"
9. In Keychain, re-perform the search for "royal" (you can just hit return in the search box)

Expected Results:
The keychain item in the "bank" keychain would still be there and be the only one.

Actual Results:
There are now two identical keychain items, one in "bank" and one in "Login Items".

Version:
10.11.5 (15F34)

Notes:


Configuration:


Attachments:
'Screen Shot 2016-07-11 at 23.15.35.png' was successfully uploaded.

Comments

This might be the same as https://forums.developer.apple.com/thread/19265

By sbwoodside at Aug. 16, 2016, 4:59 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!