Mac OS X and iOS Security Flaw Lets Hackers Steal Your Passwords

Discussion in 'Apple iPad News' started by dgstorm, Jun 17, 2015.

  1. dgstorm

    Expand Collapse
    Editor in Chief
    Staff Member

    Jul 27, 2011
    Thanks Received:

    It seems like there are a multitude of security flaws which get reported in the news at least once a month, and most of the time they turn out to be not that worrisome because they affect a small subset of users. This latest news is potentially more troubling as it also has the attention of Apple themselves.

    According to the latest report from security researcher Luyi Xing, Apple iPhone has a serious security in iOS and OS X which will allow hackers to steal all of your passwords (or at least all passwords you have saved in Apple’s Keychain). Xing leads a team of seven researchers from Indiana University, Georgia Institute of Technology and Peking University. They recently discovered a serious zero-day flaw in Apple's Keychain service .Here's a quote with more of the details,

    The good news is that Apple has been alerted to the issue and are working hard to address the problem. The bad news is that Apple has been aware of it since October, but has yet to actually address the issue in any of their latest OS versions.

    The video above is a demonstration of the flaw. We felt it was important to share this issue for those who are concerned about security on their Apple devices.

    Source: The Register
  2. John903

    Expand Collapse
    iPF Novice

    May 3, 2015
    Thanks Received:
    I read the paper and the keychain vulnerability is limited to OS X. There was no reference to any keychain vulnerability in iOS. The references to iOS in the paper are related to URL scheme hijacking. That in itself, while a problem, has nothing to do with the keychain and is not a method to steal passwords.
  3. twerppoet

    Expand Collapse
    iPad Legend II

    Jan 8, 2011
    Thanks Received:
    The thing is, it requires them to install an app.

    While the researchers did manage to sneak an app past Apple's vetting system, it is still something you have to install, and it's still going to be an app from some small time developer; one who's had to lie about their information. It will be difficult for them to look legitimate on the web without leaving a nice trail for the 'inevitable' investigation.

    So, the old precaution of not downloading random apps without checking out their source is still a pretty good defense. The same defense we've used on computers for ages. The only difference is that you should trust Apple's App stores just a little bit less. Especially when it comes to free apps, especially free apps that seem to promise impossible value for the price, and have no visible means of support.

    Going to hurt the small developers, this one. But then security paranoia always has.

Share This Page