Update: I want to clear up some misconceptions. This is not a security bug in OS X. Everything works as designed. The point of this post was to show a post-exploitation technique and to release a tool for the job. I found this particular technique interesting because it is instantaneous, reliable across OS X versions, and requires no persistent changes in the system.
TL;DR: Root can read plaintext keychain passwords of logged-in users in OS X. Open source proof-of-concept.
There is a design compromise in Apple’s keychain implementation that sacrifices some security for a lot of usability.
As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves. I’m sure Apple is perfectly aware of the security implications, and made the bargain intentionally.
Because this is an intentional design decision instead of a security bug, its exploitation should not come as a surprise. However, I haven’t seen anyone actually use or mention any practical methods before in public.