Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]
LIKE
TWEET
SHARE
PIN
SHARE
POST
MAIL
MORE
Posted June 17, 2015 at 2:56pm by iClarified
Security researchers have found a way to crack Apple's keychain making it possible to steal passwords from any installed app including the native the Mail app without being detected, reports The Register.
Indiana University's Luyi Xing, Xiaolong Bai, XiaoFeng Wang, and Kai Chen, joined Tongxin Li of Peking University and Xiaojing Liao of Georgia Institute of Technology to publish the paper Unauthorized Cross-App Resource Access on MAC OS X and iOS.
"Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register. "Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store."
"We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."
The security flaws are still present in Apple's operating system today despite being submitted to Apple in October 2014. About 88.6% of 1612 Mac and 200 iOS apps tested were found to be "completely exposed" to this attack.
Notably, Apple may not have issued a fix yet due to the complexity of resolving it. Apple asked the researchers to grant them a six month extension before disclosing the vulnerability and in February asked them to see an advance copy of the research paper before it went public.
When notified of the bug, Google's security team removed Keychain integration from their Chrome browser and noted that it likely could not be solved at the application level. AgileBits, who makes 1Password, said it could not find a way to ward off the attack or make the malware "work harder" some four months after its disclosure.
"Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense," said the researchers.
We've yet to hear a statement from Apple on the matter but hopefully the company can address the issue in a future software update. Please follow iClarified on Twitter, Facebook, or RSS for updates.
Apple is trying to make iOS secure. What copy? What if this is the same hacker that applies to anything else? You gonna assume that's copying to? How about the exact number of people's devices affected, huh?
Has anyone read that document (study) ? Probably not because immediately on the first page is written that even Microsoft, Android and others have the same issue. But in case of android it is function which is probably appreciated but in case of Apple it is vulnerability.
Yes it is, so wait. probably is not easy to be fixed, but I assume that apple will fix it soon and all of us will be upset again, because applications wouldn't be able to share data between them.
duh nsa puts these flaws in on purpose and when they are found out they are fixed and new ones implemented till next round big brother man theres always a way some not intentionally made by apple or thier software writers tho --dont cha member when apple openly admited that they knew nsa had means of accessing thier devices and then turned around and denied it later
Hi, I'm Megan and I work for AgileBits, the makers of 1Password.
For our security expert's thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we'd love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.
Lol there are no such thing as security issues with Apple. Apple is the most secure company in the universe. Star trek aliens couldn't even hack Apple.
Tell that to the critics that have been fed up with android and have been with iOS as an enterprise compared to industry shrinkage, never less no matter how bad it even is for iOS, it still changes nothing since the beginning! Lawl. It's secured as they it is, but even with flaws, jailbreak has tools to strengthen it, a team that's not part of Apple but made for iOS and may go beyond them sometimes!
Wow the Microsoft and Google propaganda machine at work. Apple is the most secure company in the universe. They can't be hacked by anything and they never have flaws in their software. They always test everything 110 percent. Microsoft and Google must be scared.
Lol I think all he's saying is that not a single OS is 110 percent secure. Yes, Apple is one of the most secure companies but still it has some security issues, like everyone else.
that is not new ... even with OS X you have to know what you are installing in your computer, or someone will still it from you. for more than 15 years that i am with OS X and never used a extra App for security, firewall, virus and malware family , and i am very happy no one has damage stole or whatever in may computers :)
![Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]](/images/news/49891/233962/233962-64.png "Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]")
![Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]](/images/news/49891/419946/419946.jpg "Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]")
![DJI's New 'Osmo Mobile 7' Gimbals Bring Next-Level Stabilization to iPhone [Video]](/images/news/96459/96459/96459-160.jpg "DJI's New 'Osmo Mobile 7' Gimbals Bring Next-Level Stabilization to iPhone [Video]")
![Apple Shares Official Trailer for 'Dope Thief' [Video]](/images/news/96457/96457/96457-160.jpg "Apple Shares Official Trailer for 'Dope Thief' [Video]")
![Is This the iPhone 17 Pro? New Renders Spark Debate [Images]](/images/news/96449/96449/96449-160.jpg "Is This the iPhone 17 Pro? New Renders Spark Debate [Images]")
![Base Model iPhone 17 to Keep Same Design as iPhone 16 [Rumor]](/images/news/96448/96448/96448-160.jpg "Base Model iPhone 17 to Keep Same Design as iPhone 16 [Rumor]")
![Apple AirPods 4 With ANC On Sale for $148.99 [Deal]](/images/news/96451/96451/96451-160.jpg "Apple AirPods 4 With ANC On Sale for $148.99 [Deal]")
![Apple 14-inch M4 MacBook Pro Back On Sale for $199.01 Off [Deal]](/images/news/96241/96241/96241-160.jpg "Apple 14-inch M4 MacBook Pro Back On Sale for $199.01 Off [Deal]")
![New Apple iPad mini 7 On Sale for $399! [Lowest Price Ever]](/images/news/96096/96096/96096-160.jpg "New Apple iPad mini 7 On Sale for $399! [Lowest Price Ever]")
![Apple Watch SE 2 is Back on Sale for Just $169 [Deal]](/images/news/96370/96370/96370-160.jpg "Apple Watch SE 2 is Back on Sale for Just $169 [Deal]")
![AirPods 4 On Sale for $99.99 [Lowest Price Ever]](/images/news/96326/96326/96326-160.jpg "AirPods 4 On Sale for $99.99 [Lowest Price Ever]")
