AppleScript Keychain unlockers: a security issue

Unlock Keychain script model 1.1 and Keychain Unlocker 2.0.1 are updates to these utilities that use AppleScript to provide a simple way to unlock your Mac OS 9 keychains.

David Converse informs us about a security issue with these programs:

"There is a flaw in AppleScript which renders any saved script insecure. For these "Unlock" scripts, both authors have posted sample scripts with a generic password. Instructions are to substitute the desired Keychain password and save the script as a run-only applet. This is supposed to make editing impossible so the embedded password cannot be read. However, opening the saved applet in ResEdit will reveal the password.

To reproduce the problem, save one of the scripts as run-only and open the "scpt" resource in ResEdit. You'll find your password revealed in all it's plain text glory."

Acknowledging this, the web page for Unlock Keychain now includes this statement:

SECURITY ISSUE: It is possible for people to read your password in the run-only AppleScript you create with this model. Make sure no-one is able to access your script over the network. If you don't know who has access to your computer you should consider using the Multiple user accounts of Mac OS 9, or the Password Security for PowerBooks.