sbug

I had an iPhone and an MacBook both on iCloud and keychain synced.

I then logged out from iCloud on both, wiped them and sold them.

I then bought a new iPhone and MacBook and logged in to my iCloud account, used the same passcode on my devices and all my keychain data was still there!

According to Apples documentation the keychain should be wiped off the servers when all devices logout.

(I had two Apple TVs logged in to my account the whole time, but they don’t have access to the keychain from what I understand).

#Infosec #Apple #iCloud #Security

Apr 24, 2023 at 10:26amWeb
Show threadsbugApr 24, 2023
But if there is a retention period, that means your data could be at risk for all that time, if you change from an insecure passcode, or remove a device with an insecure passcode.
Show threadsbugApr 24, 2023

I have an old spare iPhone I used for more testing.

First I wiped it.

Then I set it up, and during the setup I:
- Set a passcode
- Created a new Apple-ID

After it was up and running I saved a few passwords to the keychain.

I then logged out from iCloud and wiped the device.

Then I set it up again, using the same passcode.

When it was up and running I checked, and the passwords I had save before were still there.

I then added another password to the keychain.

Then I changed the passcode.

Efter that I logged out from iCloud and wiped the phone again.

Then I set it up again.
This time I set it up to use the first passcode.

During the last step of the setup I was asked for a previous passcode.

I tried the first I set but that was a no go.

Then I tried the newer passcode, and that was accepted and I when the phone was up and running I could see all the passwords in the keychain.

So it seems that the passcode from the last device can be used to access iCloud data.