Keychain infected?

Question

Level 1

6 points

Keychain infected?

After upgrading to OSX Mavericks and iOS 7.0.3, I turned on iCloud Keychain on all devices and started using it. After a while I noticed a suspicious entry in Safari's password list: website = https:// (nothing more!), userid = BP-MHHxxxxxx@t-com.de, password = xxx-xxx-xxx (the x representing letters and digits). Up to now I've seen two of these entries, same format, different x.

The userid looks like a mailadres related to t-com.de; this domain name points at T-Mobile and/or Deutsche Telekom.

These entries cannot be deleted. On mobile devices they seem to disappear, but after going out of and returning to the password list, they're back.

I tried several times to shut down Keychain on all devices, but after reconfiguring the suspicious entries reappeared.

An all new user on the Macbook is "infected" immediately as well.

A Full System virusscan using Avast! doesn't show anything I can connect to what's described above.

- Anybody else ?

- Next step ?

MacBook Air, OS X Mavericks (10.9), And iPhones 4S, iPad 4 all iOS 7.0.

Posted on Oct 27, 2013 4:15 AM

Reply

Answer 1

Oct 28, 2013 4:18 PM in response to EagleO13

I have the same problem.

There's an entry in my AutoFill passwords in Safari on iOS 7 that I cannot delete.

Every time I try to delete it, it will reappear.

It's for a website with the url just being 'https://'.

The password and username belong to a different website I visit.

Does anyone know how to resolve this issue?

Reply

Answer 2

josep70

Level 1

9 points

Oct 6, 2014 7:44 AM in response to EagleO13

Same is happening to me and my wife. User id is type of BP-FRA@telekom.**

What is it?

Reply

Answer 3

redaleme

Level 1

5 points

Oct 30, 2014 1:59 PM in response to EagleO13

I'm having the same issue as well. It would be nice to have some info on what that entry is about.

Reply

Answer 4

redaleme

Level 1

5 points

Oct 31, 2014 4:50 PM in response to EagleO13

I have found a solution.

You need to use Keychain Access on OS X. In the sidebar select iCloud. You can locate the entry by searching for the part after the @ in the email address of that entry. Right click it. Select "Delete". It will be deleted from that machine as well as any other device synced with iCloud keychain.

I did this in Mavericks, but it should work on Yosemite as well.

As far as I know there is yet no way to do this in iOS.

I filed a radar as well rdar://18835323

Hope this helps.

Reply

Answer 5

josep70

Level 1

9 points

Oct 31, 2014 9:12 PM in response to redaleme

Thanks redaleme. I also got it fixed in one iPhone which did not use iCloud keychain reinstalling iOS and setting up the iPhone as new device (extreme measure that worked too). Wonder if this user id got into the device because of visiting Frankfurt airport and using the wi-fi there. If so, that's pretty bad practice from telekom.de

Reply

Answer 6

redaleme

Level 1

5 points

Nov 1, 2014 3:33 AM in response to josep70

Wonder if this user id got into the device because of visiting Frankfurt airport and using the wi-fi there. If so, that's pretty bad practice from telekom.de

Oh speaking of which, I had a layover in Frankfurt airport in 2013 as well!!

Reply

Answer 7

Jan 14, 2015 4:07 PM in response to josep70

Same thing! Frankfurt airport. At least I know now what connection domain has with t-mobile. Still it looks like Safary's security problem.

Reply