Is there a bug that exposes your iCloud Keychain data to members of your Family Sharing account? Probably not. But reports of the “bug” do illustrate a good point about security.
If you frequent the Apple social media community, you may have noticed a tweet over the weekend from Indian iOS developer Tanmay Sonawane. In the tweet, Sonawane claims that there is a bug that caused login credentials stored in his Keychain to populate on his brother’s device.
That would be a massive security vulnerability if it turned out to be true — but there’s likely something else going on. Here’s what you should know.
What’s Going on?
The issue doesn’t appear to be tied to iOS 13, since there are sporadic reports of it stretching back at least a few years.
But contrary to the initial report, this is very likely not a vulnerability or bug within Apple’s system. Instead, it’s probably caused by user error.
In at least a few of the reports of this “bug,” the impacted users later admitted that it was their own fault (specifically, logging into another person’s device with their own credentials).
In other words, this doesn’t appear to be a bug or vulnerability. But it is definitely something you should still be aware of if you use Keychain as your primary password manager.
How to Protect Yourself
Let’s be clear. You don’t need to sign out of Family Sharing or wipe your iCloud Keychain data to avoid this bug.
There’s really only one step to mitigating any security or privacy issues associated with Keychain. It’s simple but incredibly important: don’t log into other people’s devices with your own Apple ID.
It doesn’t matter if you only log out afterward or only log in for a short period of time.
By these reports, it appears that logging in at all will cause your Keychains to merge. That’s obviously a major security concern if your Keychain has all of your important passwords.
So, no, there’s probably not a massive Keychain vulnerability associated with Family Sharing. But there’s still a chance that you’re inadvertently leaking your iCloud Keychain data to others. Just something to be aware of.