On November 2023, Apple released updates for a critical security vulnerability: CVE-2023-40401. This issue was reported in macOS Ventura and patched in version 13.6.1. It allowed attackers to access "passkeys" — Apple’s password replacement for logins — without any authentication. In this post, I’ll break down what CVE-2023-40401 is, show how it could’ve been exploited, and share how Apple fixed it. Whether you’re a Mac user or a security enthusiast, this plain English guide will help you understand the real risks and what was at stake.
What is CVE-2023-40401?
CVE-2023-40401 is a vulnerability in macOS Ventura that allowed someone (potentially malware or a malicious app) to access stored passkeys without requiring the user to authenticate — essentially bypassing the security check that keeps your passkeys safe.
Normally, Apple’s passkeys (digital credentials for sites and apps) are tightly guarded, requiring your password or biometrics (Touch ID/Face ID) before use. But with this bug, that layer could be skipped under certain conditions.
Apple’s official description:
> "The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.6.1. An attacker may be able to access passkeys without authentication."
> — Apple Security Advisories
What Could Attackers Really Do?
In practice, an attacker running code on your Mac could connect to system components (like Keychain or LocalAuthentication), and request your passkey — possibly for Google, Facebook, banking, or work logins. If you weren’t on the patched version, the system might return the passkey without asking you for any password or approval.
The Exploit in Simple Terms
Before the patch, the permissions check for passkey access was incomplete. Here's a step-by-step of how an exploit could look, in pseudo-code.
import AuthenticationServices
import Foundation
// Payload pretending to be a legit app/service:
let request = ASAuthorizationPlatformPublicKeyCredentialProvider(RelyingPartyIdentifier: "example.com")
// Maliciously request a passkey credential – old system may skip authentication!
let authRequest = request.createCredentialAssertionRequest(challenge: Data())
let controller = ASAuthorizationController(authorizationRequests: [authRequest])
controller.delegate = self
controller.performRequests() // May succeed without user auth on impacted systems
If crafted right, the code above could receive the passkey. With the proper API calls and lack of permissions checks, a malicious app could extract secrets without any biometrics or password prompt.
Apple released Ventura 13.6.1 in November 2023. Here’s what Apple changed
- Additional Permission Checks: Apple audited the code path, especially around LocalAuthentication and related frameworks, to enforce user authentication before returning any passkey to any app.
- Stronger Isolation: Unauthorized or background apps requesting passkeys are always denied unless the user explicitly approves.
Reference:
- About the security content of macOS Ventura 13.6.1
- Apple Security Advisories - CVE-2023-40401
Who was at risk?
- All users running macOS Ventura before version 13.6.1, especially if untrusted apps or malware could be installed.
Key Takeaways
- CVE-2023-40401 was a critical flaw that made it possible for malware (or a rogue app) on your Mac to steal all your passkeys, skipping authentication.
Conclusion
Passkeys are the future of secure login. But as this case shows, strong technology still needs airtight implementation. Apple moved quickly to patch CVE-2023-40401 — but it’s another reminder that security updates matter.
Stay safe:
Watch what you install.
- Follow Apple’s security feed to stay in the loop.
References:
- Apple Security Updates – CVE-2023-40401
- About macOS Ventura 13.6.1
- CISA Known Exploited Vulnerabilities Catalog
Timeline
Published on: 10/25/2023 19:15:09 UTC
Last modified on: 11/02/2023 19:43:45 UTC