Fastlane leaks user login and Apple passwords

1 month ago 6

tl;dr Some Fastlane commands (aka lanes) write the user login and the Apple ID passwords in the login keychain where they are accessible by other apps. Your passwords might be at risk!

As I couldn't find anyone to whom I could report this security issue privately, I'm disclosing it publicly now.
The original maintainer, Felix Krause, redirected me to the MobileNativeFoundation where I didn't get any response. Neither got I any response in this issue tracker.
I guess that says something about the Fastlane security in general.

New Issue Checklist

Updated fastlane to the latest version
I read the Contribution Guidelines
I read docs.fastlane.tools
I searched for existing GitHub issues

Issue Description

Issue in fastlane match

fastlane match prompts the user to provide the login keychain password that is saved in the same keychain and is accessible via security command by any app installed on the computer while the login keychain is unlocked.

Reproduction steps: run fastlane match with a simple configuration (set only mandatory options, like git url, etc) and check your login keychain afterwards. You should see a new entry fastlane_keychain_login added to it.

% fastlane match [11:08:12]: Cloning remote git repo... [11:08:12]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match. [11:08:13]: Checking out branch dev... [11:08:13]: 🔓 Successfully decrypted certificates repo [11:08:13]: Installing certificate... [11:08:13]: Enter the password for ~/Library/Keychains/login.keychain-db [11:08:13]: This passphrase will be stored in your local keychain with the name fastlane_keychain_login and used in future runs [11:08:13]: This prompt can be avoided by specifying the 'keychain_password' option or 'MATCH_KEYCHAIN_PASSWORD' environment variable [11:08:13]: Password for login keychain: ********** [11:08:24]: Type password for login keychain again: ********** [✔] Setting key partition list... (this can take a minute if there are a lot of keys installed)

To see the saved password, open a new terminal window and run:

% security find-internet-password -s fastlane_keychain_login -g

You should see your login password printed out at the bottom.

Here is the code requesting the user password:

if keychain_password.nil?

Here is the password entry stored in the keychain:

Mitigation:

fastlane match should not save the user password in the keychain. It should fail if no keychain_password option is provided ot should request the user password every time it's needed.
Fastlane should remove fastlane_keychain_login in the new version.
Until the issue is fixed in Fastlane, the users should explicitly provide keychain_password option and should remove fastlane_keychain_login from their login keychain.

Issue in fastlane deliver (and possibly other lanes using AccountManager)

This issue is similar to fastlane match but in this case the Apple ID password leaks via deliver.<APPLE_ID> entry in the login keychain.

Reproduction steps: run fastlane deliver or fastlane upload_to_app_store (or any other command using AccountManager or create_session lane) and check your login keychain afterwards. You should see a new entry deliver.<APPLE_ID> added to it.

% fastlane create_session [11:49:43]: ----------------------------------------------- [11:49:43]: --- Step: Switch to ios create_session lane --- [11:49:43]: ----------------------------------------------- [11:49:43]: Cruising over to lane 'ios create_session' 🚖 [11:49:43]: Enter Apple ID: [email protected] [✔] 🚀 Logging into to App Store Connect ([email protected])... ------------------------------------------------------------------------------------- Please provide your Apple Developer Program account credentials The login information you enter will be stored in your macOS Keychain You can also pass the password using the `FASTLANE_PASSWORD` environment variable See more information about it on GitHub: https://github.com/fastlane/fastlane/tree/master/credentials_manager ------------------------------------------------------------------------------------- Password (for [email protected]): ******** Available session is not valid anymore. Continuing with normal login. Successfully logged in to App Store Connect --- Pass the following via the FASTLANE_SESSION environment variable:

To see the saved password, open a new terminal window and run:

% security find-internet-password -s deliver.<APPLE_ID> -g

You should see your Apple password printed out at the bottom.

The keychain contents:

Here is the code requesting the Apple ID password:

Mitigation: similar to the fastlane match. Use FASTLANE_PASSWORD or DELIVER_PASSWORD to pass the Apple ID password to the lane. Fastlane should not store the Apple password in the login keychain and should remove any existing deliver password upon upgrade.

Read Entire Article