Safari duplicates keychain items from self-created keychain into Local Items keychain
Originator: | sbwoodside | ||
Number: | rdar://27292827 | Date Originated: | 11-Jul-2016 |
Status: | Open | Resolved: | |
Product: | OS X | Product Version: | |
Classification: | Reproducible: | Yes |
Summary: I have created a separate keychain called "bank" to store my sensitive financial account passwords. I have done this to increase my security, since with this separate keychain I can use a different keychain password and set it to lock automatically after 5 minutes. When I go to my bank website, Safari requests that I unlock the keychain. If I allow this, then Safari copies the keychain item from "bank" to "login", thus eliminating the security benefit. Steps to Reproduce: 1. Open Keychain Access 2. Create a new keychain called "bank" with a unique password. 3. "New Password Item..." and enter the following: Keychain Item Name: https://www1.royalbank.com Account Name: [your bank card] Password: [your banking #] Note that I can reproduce this with RBC, CIBC, and Wells Fargo in the USA. 4. http://www.rbc.com/canada.html and click "Sign In" 5. A prompt appears to enter the password for the "bank" keychain. Enter it. 6. A prompt appears asking for permission to give Safari access to the password. Click "Always Allow". 7. In Keychain, search for "royal" and note that the password has not yet been duplicated. 8. Click "Sign In" 9. In Keychain, re-perform the search for "royal" (you can just hit return in the search box) Expected Results: The keychain item in the "bank" keychain would still be there and be the only one. Actual Results: There are now two identical keychain items, one in "bank" and one in "Login Items". Version: 10.11.5 (15F34) Notes: Configuration: Attachments: 'Screen Shot 2016-07-11 at 23.15.35.png' was successfully uploaded.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
This might be the same as https://forums.developer.apple.com/thread/19265