Skip to content

Instantly share code, notes, and snippets.

Last active Aug 19, 2020
What would you like to do?
Access to a keychain item's password via Security framework is lost if a user enters the wrong password once (rdar://50789571)


If a user enters the wrong password, when they are asked for their macOS user credentials to access the password of a keychain item, and press "Do not allow" when asked again, the following happens:

  • programmatic access to the keychain item's password using SecItemCopyMatching consistently fails with error OSStatus -25293, yet the user is never prompted to enter their macOS credentials

  • programmatic access to the password of any keychain item of the same keychain fails with error -25293

  • the user is not asked for their credentials again until they manually lock and unlock the login keychain (or any custom keychain the keychain item belonged to) in Keychain (or perform an action which locks and unlocks the keychain, like log out or restart of macOS)

WARNING: After trying to reproduce this problem, iMessage will no longer work until the login keychain is locked/unlocked manually

A custom script using the Security.framework keychain API's is available, but for most basic steps to reproduce the "security" command line utility is used.

Steps to Reproduce:

1.) Create a login keychain item for the test

$> security add-generic-password -l "Keychain Bug Test Item" -a "AccessToKeychainItemsPasswordIsLostRdar" -s "keychain-bug" -T "" -w "supersecurepassword"

2.) Try to access the test keychain item.

$> security find-generic-password -a "AccessToKeychainItemsPasswordIsLostRdar" -w

When presented with the authentication dialog, enter your macOS credentials. -> the password "supersecurepassword" is displayed in Terminal

3.) Try to access the test keychain item, but fail on purpose

$> security find-generic-password -a "AccessToKeychainItemsPasswordIsLostRdar" -w

This time, when presented with the authentication dialog, make sure to enter the wrong credentials and press "Allow". After being asked for your password a second time, press "Don't allow"

3.) Try to access the test keychain item again

$> security find-generic-password -a "AccessToKeychainItemsPasswordIsLostRdar" -w

You will notice that the command exits without displaying the password and without ever presenting an authentication dialog. Test if you are able to send a message in iMessage. That will no longer work.

In my tests, even keychain item's which "Allow any application to access this item without warning" were no longer able to retrieve the password

In addition, adding a new keychain item to the keychain the test item belonged to (login keychain) is no longer possible. If an application uses SecKeychainItemDelete/SecItemAdd to update a keychain item instead of SecItemUpdate that leads to the complete loss of the keychain item when an applications attempts to update the password of the keychain item.

1.) Try to add a new keychain item

$> security add-generic-password -l "Keychain Bug Test Item 2" -a "AccessToKeychainItemsPasswordIsLostRdar2" -s "keychain-bug-2" -T "" -w "supersecurepassword"
security: SecKeychainItemCreateFromContent (<default>): The user name or passphrase you entered is not correct.

Expected Results:

As before entering the wrong credentials, the user should simply be presented with an authentication dialog again. At the moment, they are not informed of any problem, yet won't be able for example in iMessage to send messages. The bug will show different symptoms in different applications, depending what keychain access is used for.

Actual Results:

The user is never prompted for entering their credentials again. Applications fail to work properly in different way.


macOS 10.14.3 (18D109), macOS 10.14.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment