Apple Updates Silently Enable iCloud Keychain
I’ve discovered today that unfortunately this issue—this bug, I would call it, though who knows whether Apple considers it a bug or “expected behavior”—still exists with the latest versions of macOS Ventura and Sonoma, 13.6.7 and 14.5 respectively.
[…]
The external drive had a macOS Ventura 13.6.7 boot volume with iCloud enabled but iCloud Keychain disabled. After updating the volume to macOS Sonoma 14.5, iCloud Keychain was enabled. (I then disabled iCloud Keychain, which actually caused System Settings to hang and eventually crash, but afterward iCloud Keychain did seem to be disabled.)
[…]
What I’d like to do is update from Ventura to Sonoma without an internet connection, giving Sonoma no chance to upload my passwords or other data to iCloud before I can disable iCloud Keychain.
[…]
You might wonder why I don’t sign out of iCloud before I update from Ventura to Sonoma. It turns out that there’s no point in that, due to another bug, “Signing out of iCloud and signing back in again forgets all of your previous iCloud settings” (FB12168173), which I also discovered last year.
Because installing macOS also re-enables Wi-Fi, his workaround was to turn off Wi-Fi after downloading the installer, delete his Wi-Fi password, and then install the update.
The success of the trial run gave me the confidence to update my main development machine, an M1 MacBook Pro, from Ventura to Sonoma. Unfortunately, for unknown reasons, I experienced a different result the second time. As before, the workaround did successfully prevent Sonoma from connecting to my WiFi network. And as before, I confirmed in System Settings that iCloud Keychain was still disabled after the Sonoma update. However, after I finally connected to my WiFi network again, I discovered to my horror that Sonoma did then silently enable iCloud Keychain. My workaround was ultimately futile.
Mysk:
If you’ve never enabled iCloud Keychain and recently upgraded to iOS 17, chances are good that your passwords are now stored on Apple servers. As confirmed by many users, iOS 17 secretly turns iCloud Keychain on. This video shows the entire process step by step[…]
Previously:
Update (2024-05-28): See also: Hacker News.
Update (2024-05-29): Marcin Krzyzanowski:
I noticed my disk storage went drastically low and I started to check system, then I realized something ( #macos update???) enabled iCloud Photos synchronization to my Mac (that can take all the storage it get, and for that very reason I didn’t enable it on my mac)
Update (2024-05-31): See also: TidBITS-Talk.
Update (2024-06-03): Johann Campbell:
Really wish Apple could stop toggling iCloud Photos on without my permission, when it KNOWS I won’t pay for more than the base 5 GB of iCloud storage.
Update (2024-06-05): Jeff Johnson:
A follower on Mastodon gave me a nice tip on how to prevent this in the future: create a configuration profile.
First, download the Apple Configurator app from the Mac App Store. Then open Apple Configurator, select New Profile from the File menu, uncheck Allow iCloud Keychain in Restrictions, and save the
.mobileconfigfile.
Update (2024-11-01): Jeff Johnson (Mastodon, Hacker News):
What I didn’t realize at the time, indeed didn’t realize until now, is that iCloud Keychain already uploaded all of my passwords and kept them in iCloud even after I disabled iCloud Keychain.
[…]
Today I was shocked to discover a bunch of my website passwords in Safari while booted into Sequoia on the Mac mini. There shouldn’t be any personal data on the mini, and iCloud Keychain is disabled in its Sequoia volume.
[…]
The question is, how do you delete all data from iCloud Keychain?
An old Apple support document suggests that there’s an option to delete the data from the cloud when you turn it off, but that no longer seems to be the case.
As a workaround, I manually deleted all of my passwords in the Passwords app in Sequoia, enabled iCloud Keychain, and then disabled iCloud Keychain again. To verify the password deletion, I booted into Sonoma on the Mac mini and enabled iCloud Keychain there. Fortunately, no passwords were downloaded from iCloud.
[…]
I’m still concerned about other data that may still be in iCloud Keychain. For example, what about wifi passwords? I can’t very well delete my wifi password on the Mac mini and then sync the deletion to iCloud Keychain, because of course I can’t sync anything without wifi! And what else does iCloud Keychain store that I can’t necessarily see in the user interface?
A crucial point to understand: unbeknownst to me, my passwords ended up on a device that I didn’t specifically authorize to download them.
The good news is that the device is owned by me and under my control. However, since it’s just a test machine with no personal data—or so I believed—it’s less protected than my other devices. For example, it has a weak login password, no Filevault, and no biometrics (Mac mini).
6 Comments RSS · Twitter · Mastodon
Yeah, I had it switched off for years (since I had a third-party password manager), but likewise one of the fairly recent updates (or a new machine setup) must’ve switched it on. Decided to give in and not fight it.
I've seen stuff like this for years. Updates on iOS routinely re-enabled Game Center even after having turned it off. iCloud Photos would routinely enable and start uploading images. iCloud drive for apps is opt-out instead of opt-in so as soon as an application is installed it starts putting data on a server.
I don't think any of this is malicious, it's simply coding and testing to the most common case / assumption - people are putting everything on Apple's servers.
I've been a user of Apple services since iTools (https://en.wikipedia.org/wiki/MobileMe#iTools), but I stopped using iCloud and logging in with an Apple ID on all my computers a few years ago because settings for these sorts of things are unreliable.
This particular case is probably linked to the wider rollout of Passkeys support across the major web platforms. Can’t have passkeys without the keychains.
I just noticed that a macOS update enabled iCloud Photos on my Mac, which started to download photos and drastically reduce the free space (that's how I noticed)
I am shocked — and that is not a word I use lightly — by how much data iCloud retains without any way of deleting it. All my Apple Accounts with iCloud enabled and all those I manage for customers or friends show heaps of data that cannot be accessed and merely remains trapped in the account.
Case in point, I have an Apple Account with 5590 “Messages in iCloud” which do not appear in Messages.app on any of the devices logged into it. The messages are there, presumably, but entirely inaccessible — and no, they’ve been there for years, so they are not just pending deletion.
As Fred McCann said above, this is not malicious behaviour, just plain old incompetence. My 5590 messages take a whopping 13 MB of data on their iCloud account: investigating that is not worth Apple’s engineering time and no user is going to complain about wasted storage space that is a mere rounding error.
Yet, collectively, we are talking about thousands of potentially sensitive data points for every single user, just waiting to be snapped up and stolen from Apple. In the case of Jeff’s passwords, these should at least be end-to-end encrypted (although he makes extremely good points, as always, about end-user expectations and threat modelling). But when it comes to Notes, Pictures, Text Messages, and app databases stuck in iCloud’s many opaque containers, who knows what’s there that should not be?
This is one of the very, very few times I wish the EU actually enforced the GDPR as it stands legally and not just politically. EU law could force Apple to solve these bugs, but that would not make the headlines, so nobody cares.
However hard I try, I can't disable Messages in iCloud. I always get the error, “Unable to update iCloud settings at this time.” That's a pity because messages syncing is broken and I want to start fresh with the local messages I already have to get it working again, without losing any more. But no—no syncing, so I must leave it disabled, waste 14 MB of space, and just manually delete everything several times. Total disgrace, but that's Apple's neglect for you.
And don't get me started on the benign enforcement of iCloud backup, on pain of constant prompts to enter your passcode to start local backups ...
