October 31, 2024
Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]

Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]

Posted June 17, 2015 at 2:56pm by iClarified
Security researchers have found a way to crack Apple's keychain making it possible to steal passwords from any installed app including the native the Mail app without being detected, reports The Register.

Indiana University's Luyi Xing, Xiaolong Bai, XiaoFeng Wang, and Kai Chen, joined Tongxin Li of Peking University and Xiaojing Liao of Georgia Institute of Technology to publish the paper Unauthorized Cross-App Resource Access on MAC OS X and iOS.

"Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register. "Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store."


"We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."

The security flaws are still present in Apple's operating system today despite being submitted to Apple in October 2014. About 88.6% of 1612 Mac and 200 iOS apps tested were found to be "completely exposed" to this attack.

Notably, Apple may not have issued a fix yet due to the complexity of resolving it. Apple asked the researchers to grant them a six month extension before disclosing the vulnerability and in February asked them to see an advance copy of the research paper before it went public.

When notified of the bug, Google's security team removed Keychain integration from their Chrome browser and noted that it likely could not be solved at the application level. AgileBits, who makes 1Password, said it could not find a way to ward off the attack or make the malware "work harder" some four months after its disclosure.


"Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense," said the researchers.

We've yet to hear a statement from Apple on the matter but hopefully the company can address the issue in a future software update. Please follow iClarified on Twitter, Facebook, or RSS for updates.

Read More


Major Security Flaw in iOS and OS X Lets Attackers Steal Passwords From Any Installed App [Video]
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (16)
You must login or register to add a comment...
Where da steve
Where da steve - June 19, 2015 at 10:27pm
Apple got nothing else to copy thus they are copying security flaws. Nice innovation!!
gamerscul9870
gamerscul9870 - June 20, 2015 at 1:48am
Apple is trying to make iOS secure. What copy? What if this is the same hacker that applies to anything else? You gonna assume that's copying to? How about the exact number of people's devices affected, huh?
Patrikcze007
Patrikcze007 - June 18, 2015 at 5:32pm
Has anyone read that document (study) ? Probably not because immediately on the first page is written that even Microsoft, Android and others have the same issue. But in case of android it is function which is probably appreciated but in case of Apple it is vulnerability. Yes it is, so wait. probably is not easy to be fixed, but I assume that apple will fix it soon and all of us will be upset again, because applications wouldn't be able to share data between them.
gamerscul9870
gamerscul9870 - June 18, 2015 at 8:07pm
Sad for that? We have jailbreak and sometimes even that fixes it.
OHHdontCHaknow
OHHdontCHaknow - June 18, 2015 at 9:18am
duh nsa puts these flaws in on purpose and when they are found out they are fixed and new ones implemented till next round big brother man theres always a way some not intentionally made by apple or thier software writers tho --dont cha member when apple openly admited that they knew nsa had means of accessing thier devices and then turned around and denied it later
Even bigger Samsung fail..HAHAHAHAHA
Even bigger Samsung fail..HAHAHAHAHA - June 18, 2015 at 1:48am
Every Samsung Galaxy phone since the S3 has a MAJOR, even bigger, and UNFIXABLE security flaw. Check THIS out!!! BWAHAHAHAHA!!!
gamerscul9870
gamerscul9870 - June 18, 2015 at 1:56am
I heard a new flaw involving their keyboards!
Megan O'Brien
Megan O'Brien - June 17, 2015 at 9:57pm
Hi, I'm Megan and I work for AgileBits, the makers of 1Password. For our security expert's thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we'd love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.
Woz
Woz - June 17, 2015 at 5:50pm
Lol there are no such thing as security issues with Apple. Apple is the most secure company in the universe. Star trek aliens couldn't even hack Apple.
Diego Vilar
Diego Vilar - June 17, 2015 at 9:36pm
i'm right there with you, Woz. Apple's ass is so tight nothing can ever enter... lol
gamerscul9870
gamerscul9870 - June 18, 2015 at 1:02am
Tell that to the critics that have been fed up with android and have been with iOS as an enterprise compared to industry shrinkage, never less no matter how bad it even is for iOS, it still changes nothing since the beginning! Lawl. It's secured as they it is, but even with flaws, jailbreak has tools to strengthen it, a team that's not part of Apple but made for iOS and may go beyond them sometimes!
Ken
Ken - June 18, 2015 at 2:02am
Unlike yours right?
Woz
Woz - June 17, 2015 at 5:17pm
Wow the Microsoft and Google propaganda machine at work. Apple is the most secure company in the universe. They can't be hacked by anything and they never have flaws in their software. They always test everything 110 percent. Microsoft and Google must be scared.
 Ah yes
Ah yes - June 17, 2015 at 8:01pm
> Be on iOS 4.3 > Go to jailbreakme.com > Jailbreak the device without even Mac/PC access > 110% security?
iPoop
iPoop - June 17, 2015 at 8:30pm
Lol I think all he's saying is that not a single OS is 110 percent secure. Yes, Apple is one of the most secure companies but still it has some security issues, like everyone else.
lepaka
lepaka - June 17, 2015 at 4:35pm
that is not new ... even with OS X you have to know what you are installing in your computer, or someone will still it from you. for more than 15 years that i am with OS X and never used a extra App for security, firewall, virus and malware family , and i am very happy no one has damage stole or whatever in may computers :)
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Sonoma
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS