strange entries in keychain, under an account called "waldo"

Question

sunny_gb Author

Level 1

25 points

strange entries in keychain, under an account called "waldo"

I noticed the following entries in the keychain of my MacBook Air

com.apple.NetworkServiceProxy.Configuration

com.apple.NetworkServiceProxy.WaldoInfo.com.apple.parsed

com.apple.NetworkServiceProxy.WaldoInfo.com.apple.nspcurl

com.apple.NetworkServiceProxy.WaldoInfo.com.apple.pie2.hosts

all under an account called: “waldo”

But there isn’t an account called Waldo on the machine.

and the machine was recently reformatted and MacOS reinstalled. (no other apps were installed, and I didn't connect an iCloud account either..)

I took the Mac to the Genius Bar at my closest Apple Store

The person I spoke was very helpful, but he didn’t recognise the entries either and so suggested rebooting the machine from their network, formatting and then reinstalling MacOS again.

After doing that we assumed that those entries would have been removed

so I turned Wifi Off (while in the store), and went home

However when I got home I checked the machine’s again, and noticed these entries were still there in the keychain…

I took the machine to the Apple Store again the next day but couldn’t get an appointment at the Genius Bar

Hence why I’m posting the message here..

Does anyone know what these entries are…?

And how could they still be on the machine, after it’s had MacOS reinstalled.

Background Info:

A couple weeks before I noticed these entries, I had already restarted the machine into recovery partition, formatted the hard drive and re-installed MacOS from my home Wifi..

Since then the Wifi has been switched off..

However I did connect to the internet once via Bluetooth on my iPhone 6 plus, but it was only for a few minutes, in order to download a printer Driver

apart from that time the machine wasn’t connected to the internet.

Hence I think the entries may have 'jumped' over from my iphone…

(I’ve had many other issues recently.. e.g. my playstation, and Uber accounts were hacked… and even one of my iCloud accounts..)

Hope someone can help!

Thanks in advance 🙂

S.

MacBook Air, macOS Sierra (10.12.4)

Posted on Apr 28, 2017 12:06 AM

Reply

Answer 1

Best reply

lherbert4777

Level 1

4 points

Aug 17, 2017 1:04 PM in response to sunny_gb

I'm having the same issue, and there seems to be little detailed information to be found via a Google search. Adding further to the strangeness, I tried putting waldoinfo.com into browser address field and it keeps auto redirecting to various sites. This has the look and feel of something nefarious. Here's my info also:

com.apple.NetworkServiceProxy.WaldoInfo.com.apple.nspcurl

com.apple.NetworkServiceProxy.WaldoInfo.com.apple.parsecd

com.apple.NetworkServiceProxy.WaldoInfo.pie2.hosts

Reply

Answer 2

Nov 28, 2017 3:52 AM in response to sunny_gb

So, 191 people also had this question, but I don't see any valid answers. If this is the "Official" Apple support community, why hasn't someone from Apple taken a few moments away from their latte and answered it?

Reply

Answer 3

sunny_gb Author

Level 1

25 points

Apr 28, 2017 10:37 AM in response to John Galt

After speaking to the nice gentleman at the Genius Bar, I bought a brand new MacBook Pro

I've been using it for more than a week now, and it doesn't have those entries...

Reply

Answer 4

John Galt

Level 10

140,942 points

Apr 28, 2017 9:33 AM in response to sunny_gb

All my Sierra Macs have that Keychain entry.

There is no "jumping" from anything, unless you include that to mean information shared among devices using the Apple ID they share, which encompasses an enormous amount of information.

Reply

Answer 5

sunny_gb Author

Level 1

25 points

May 3, 2017 8:51 AM in response to fedinvs

Hi Fedinvs

He said he'd never seen that before and agreed it looked strange especially the account name..

He also said it could be something do to with some apple servers called Waldo.apple.com

But he didn't know what they were for, nor certain if the two things were related..

Hence he suggested rebooting off their network and doing a clean reinstall.. as that should completely remove it..

And confident of that we didn't check if it had come back.. so we just packed it up..

It wasn't untill I got home that I realised the entries were still there ..

Reply

Answer 6

t_j_kent

Level 1

8 points

Jul 23, 2017 8:19 AM in response to sunny_gb

Hi

So i have the EXACT same issue... it looks like my iphone and macbook air has been hacked?

Did you resole/find out what it was?

Also, could you tell me what a clean system reinstall is? Thanks in advance!

Reply

Answer 7

Sep 28, 2017 9:09 AM in response to lherbert4777

hello, I had this same problem and hope I fixed it yesterday. I had these exact same Waldo entries you do (did). I have been having numerous work interruptions by various supposed Apple or other entities asking for permission to use the keychain. After reading yesterday in various news outlets about the "Zero Day" flaw in High Sierra, I started to wonder if that was going on here since the article I read said that this flaw dates back to EL Capitan. I found out from trying to delete the Waldo passwords that I could not do so until I had accepted all the keychain requests. Once I reluctantly did that I was able to unlock Keychain, select the subject Waldo files you pointed out and control/deleted them. Then I locked the keychain again and disk some disk cleaning and housekeeping. I hope I got rid of them.

This increased level of interruption from Keychain is really getting annoying and also worrisome because of this password hacking flaw that appears to have been around for awhile. I just can't help feeling these two things may be related. I'm wondering how I can be sure that even the requests which purport to be an Apple.com entity are real or "valid".

Reply

Answer 8

Dec 12, 2017 5:48 AM in response to sunny_gb

I have the same issue.

After installing Sierra 10.13.1 (17B1003) I'm having problem with Outlook 2011 for Mac to log in to one of my Gmail accounts and continuously receive pop-ups too . Entering the right password etc. did not work, so I was looking in the Keychain and found the Waldo stuff as well.

Something is wrong here, would like Apple to react on this.. My productivity is down dramatically now...

Reply

Answer 9

fedinvs

Level 1

4 points

May 3, 2017 7:59 AM in response to sunny_gb

Did he say what the entries where?

Reply