CloudPull 2.7.4 is now available with these improvements:

  • In response to recent news of an OS X keychain vulnerability:
    • When adding or updating Google account credentials, CloudPull first deletes any pre-existing entries that might exist for that account in the keychain and then adds a new keychain entry. It never updates existing keychain entries.
    • The first time this version of CloudPull is run, it will delete its Google account credentials from the keychain and then add them again.
  • Fixed a bug displaying items that have an indeterminate last modified date.

In short, the keychain vulnerability referenced above is this:

  • Developer of Malicious App knows that Good App creates certain keychain items.
  • Before Good App is ever installed or running, Malicious App creates a keychain item with the expected service name and account name. Malicious App is code signed in such a way that its keychain items are available to both itself and to Good App.
  • Good App runs, and updates the keychain item with account credentials.
  • Malicious App now has access to these account credentials.

This is a significant vulnerability in the OS X keychain that I hope Apple addresses very soon. In the meantime, this improvement will help protect the secrecy of the credentials CloudPull uses to access your Google accounts. CloudPull does not store your account password at all, but it does use the keychain to store OAuth tokens that grant it access to your accounts.

For customers running CloudPull on Lion or Mountain Lion, the keychain improvements are also available in a version 2.5.7 update.