PSA: Security researchers highlight two potential iCloud Keychain issues

Security researchers have highlighted a couple of potential iCloud Keychain issues you may want to be aware of in iOS 17 and macOS Sonoma.

One is that upgrading may switch the feature on if you previously had it off, while the second arises if you have the feature enabled and then toggle it off …

iCloud Keychain

iCloud Keychain dates all the way back to iOS 7 and OS X Mavericks, storing your passwords and card details in your iCloud account so that they are available across Apple devices. Adding or updating any data on one device syncs it to iCloud so that the changes are reflected on other devices.

All data of course uses end-to-end encryption, so that Apple has no access to your login credentials or payment cards.

Passkey support was added to iCloud Keychain in iOS 16.

Users report the feature toggling on automatically

Even with end-to-end encryption, not everyone chooses to use iCloud Keychain, and security researchers at Mysk note that a number of users who don’t have found the feature somehow found it had switched itself on.

If you’re one of the few users who haven’t synced their Passwords & Keychain with iCloud and have upgraded to iOS 17, iPadOS 17 or macOS Sonoma, check your iCloud settings and make sure the option to sync “Passwords & Keychain” is off. This case was reproducible in our testing, but some iCloud accounts didn’t change the setting. The reason is not clear.

Turning iCloud Keychain off may not delete the data

If you do switch off iCloud Keychain, it may no longer be deleted from Apple servers

Here’s how Apple says this works:

When you sign out of iCloud on your device while iCloud Keychain is turned on, you’re asked to keep or delete your Keychain information.

• If you choose to keep the information, your passwords and passkeys are stored locally on your device, but aren’t deleted or updated when you make changes on other devices.
• If you don’t keep the information, your passwords and passkeys aren’t available on your device. An encrypted copy of your Keychain data is kept on iCloud servers. If you turn iCloud Keychain back on, your passwords and passkeys will sync to your device again.

Previously, you could force a deletion from iCloud:

If you don’t keep the information on at least one device, your Keychain data is also deleted from the iCloud servers.

One possibility is that this is related to the new Family Passwords feature, which lets you share credentials with trusted contacts (while Apple users the word “family,” you can choose to share passwords with anyone).

We’ve reached out to Apple for comment, and will update with any response.

FTC: We use income earning auto affiliate links. More.