Mac OS X and iOS Security Flaw Lets Hackers Steal Your Passwords

[dgstorm]

It seems like there are a multitude of security flaws which get reported in the news at least once a month, and most of the time they turn out to be not that worrisome because they affect a small subset of users. This latest news is potentially more troubling as it also has the attention of Apple themselves.

According to the latest report from security researcher Luyi Xing, Apple iPhone has a serious security in iOS and OS X which will allow hackers to steal all of your passwords (or at least all passwords you have saved in Apple’s Keychain). Xing leads a team of seven researchers from Indiana University, Georgia Institute of Technology and Peking University. They recently discovered a serious zero-day flaw in Apple's Keychain service .Here's a quote with more of the details,

“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorized access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome. Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.”

We completely cracked the Keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”

The good news is that Apple has been alerted to the issue and are working hard to address the problem. The bad news is that Apple has been aware of it since October, but has yet to actually address the issue in any of their latest OS versions.

The video above is a demonstration of the flaw. We felt it was important to share this issue for those who are concerned about security on their Apple devices.

Source: The Register

 

[John903]

I read the paper and the keychain vulnerability is limited to OS X. There was no reference to any keychain vulnerability in iOS. The references to iOS in the paper are related to URL scheme hijacking. That in itself, while a problem, has nothing to do with the keychain and is not a method to steal passwords.

 

[twerppoet]

The thing is, it requires them to install an app.

While the researchers did manage to sneak an app past Apple's vetting system, it is still something you have to install, and it's still going to be an app from some small time developer; one who's had to lie about their information. It will be difficult for them to look legitimate on the web without leaving a nice trail for the 'inevitable' investigation.

So, the old precaution of not downloading random apps without checking out their source is still a pretty good defense. The same defense we've used on computers for ages. The only difference is that you should trust Apple's App stores just a little bit less. Especially when it comes to free apps, especially free apps that seem to promise impossible value for the price, and have no visible means of support.

Going to hurt the small developers, this one. But then security paranoia always has.