Safari’s iCloud Keychain Creates a Security Problem

Saving your website logins in Safari on macOS or iOS is very convenient. No more typing-in login credentials as they are filled-in automatically. The keychain is synced via iCloud if you want it to, so you get automatically filled-in logins on your mobile devices as well.

There’s just one problem. If you think this is a problem.

Safari also fills in the password field for the current password on profile pages where you can change your password. While this is also very convenient, it defeats the purpose of this security measure.

Making users to type in their current password before changing sensitive information is a security measure to avoid having malicious people use your unlocked computer to change your password to one which you don’t know. The same goes for the email address. They can lock you out of your account without you being able to ever reset the password again.

While I like the convenience, I think it’s quite a problem, because it severely weakens your ability to protect your accounts. Automatic logins to websites are okay, but weakened security for sensitive account data is not.