If you are a security-aware person, you probably use one of the secure messengers. 😏 And maybe to improve your comfort, you installed its desktop version on your mac? Sometimes we leave our computer unattended when we go to make a coffee, or we need to talk with somebody in the other room. Since we are security-aware, we always lock our screens (you do that, right?). But what if all messages sent to you will be visible on your locked mac?

In this short blog post, I will present to you why the alphanumeric password is much more secure than using biometrics. At my home, as a total n00b, I was able to clone my finger that bypassed TouchID. To be honest in my case, effectiveness was about 10%-15% - but like I wrote before, it was my first time, and I didn’t have any professional tools. Before I start, I want to credit Łukasz Bobrek & Paweł Kuryłowicz from SecuRing that showed me their research.

During my work, I was auditing a Cordova App and then I saw a plain text password right in the logs. I talked to the developer and it proved that Cordova doesn’t support Keychain by itself. One of the most popular Keychain plugins (also used by this developer) is https://github.com/ionic-team/cordova-plugin-ios-keychain. Turned out there was a forgotten NSLog call that logged all keychain entries: I have reported it and the bug is now fixed (CVE-2018-1000123).