Nonsense. As if a user wouldn't realise that "Gmail" isn't actually "Gmail" any more. The only thing that you can achieve is that someone opens your app exactly ONCE, because he thinks it's Gmail. However, you can do exactly the same by actually installing the App you initially promoted in the phishing link: "Hey, install Flappy Bird 2", then install an app called "Flappy Bird 2". A user who installs this app will also open it. The ability to install over an existing App, which, by the way, is not even likely to be installed in the first place, brings nothing new to the table for the attacker. This is therefore really a non-issue blown entirely out of proportion.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to 'Masque Attack' Vulnerability, Not Aware of Customers Affected by Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
Nonsense. As if a user wouldn't realise that "Gmail" isn't actually "Gmail" any more. The only thing that you can achieve is that someone opens your app exactly ONCE, because he thinks it's Gmail. However, you can do exactly the same by actually installing the App you initially promoted in the phishing link: "Hey, install Flappy Bird 2", then install an app called "Flappy Bird 2". A user who installs this app will also open it. The ability to install over an existing App, which, by the way, is not even likely to be installed in the first place, brings nothing new to the table for the attacker. This is therefore really a non-issue blown entirely out of proportion.
Masquerade Attack is an iOS exploit and you are referring to OS X apps. Two different operating systems with two different App Stores.
You don't have to change your security settings, you just need to right click and select open (instead of double clicking), assuming they are actually "untrusted" sources. The default security setting is "mac app store and identified developers" btw. If Microsoft isn't an identified developer, that's their own fault.
Really? At least this is about Apple's response.
It's much more interesting than stories like "some random company no one cares about now accepts ApplePay".
swingerofbirch
macrumors 68040
Oh yawn! This is a non issue if you only get your apps from the apple app store.
Wanna play with fire, go for it!
Wanna play with fire, go for it!
This threat is about iOS not OSX and for iOS it is: Yes and yes, there both available via the app store. First get you facts straight and than try to start trolling (again).
----------
If you download directly for Microsoft, I think there is hardly any danger, right? If Wong Yang Whoo offers you a 150% discount on MS Office don't download it
PS: They are all doing it for the money, not only Apple.
Last edited:
This only happens on an iPhone that bends, which also Apple denies existence of.
Yah it's interesting how nobody is talking about that anymore and iPhones continue to fly off the shelves...
----------
Your opinion is wrong.
You clearly don't understand sandboxing or the topic being discussed in this thread.
No, it doesn't only affect jailbroken devices - basically, they are apps provisioned and signed as enterprise deployment apps which allows them to be installed outside of the App store (the intended use of these certificates is to allow enterprise customers to create and deploy custom iOS apps for their own staff to use without having to go through the app store)
While this is a security concern, these things can't deploy themselves onto your iOS device - they require the co-operation of the device owner. Unfortunately, if people think they are getting something for nothing, many of them will just ignore any security concerns and just install it without a second thought...
Do you have any evidence that it is a wire lurker app? Lots of people would like to know.
They are just trying to get widespread public attention on SOMETHING to justify their bureaucratic existence and gain mindshare. The actual benefit of this notice as pointed out by Apple is nearly nil. Anyone dumb enough to bypass Apple security actively install such a malicious app will not have read the MacRumors or other outlets reporting of the notice and certainly not the notice itself.article said:
This has zero public benefit in practice which is why is is a clear scream for attention by an obscure Federal agency(ies) and little else.
Rocketman
This issue appears to affect different categories of IOS users: Jailbreak, Enterprise and normal.
The first is not the norm for IOS and those folks tend to be fairly savvy already.
The second are typically users in a large organization that may normally create apps, outside the app store, for use only within the organization. They use enterprise profiles to get such apps installed. Those are somewhat at risk as installing apps that way may be considered normal.
Large companies and government groups are examples of the second category and might easily have thousands of individuals within the group.
The third is the normal IOS user. Many of those are not tech savvy. They use their phone as a tool and will not always notice changes in app appearance or behavior.
The key issue here is falling for the link that causes this problem. Tech savvy folks generally know better, but non-tech dont. This has more potential to cause problems for these in the enterprise group as their devices might have access to data, outside the normal web, that their normal enterprise apps use. Such fake apps could potentially gain access to that data.
Assuming people will know better is usually a bad approach. The amazing range of scams that occur every week in the news cycle are example of that fact. Apple may well step in to control these options more firmly as they have recently done in other security related areas.
The first is not the norm for IOS and those folks tend to be fairly savvy already.
The second are typically users in a large organization that may normally create apps, outside the app store, for use only within the organization. They use enterprise profiles to get such apps installed. Those are somewhat at risk as installing apps that way may be considered normal.
Large companies and government groups are examples of the second category and might easily have thousands of individuals within the group.
The third is the normal IOS user. Many of those are not tech savvy. They use their phone as a tool and will not always notice changes in app appearance or behavior.
The key issue here is falling for the link that causes this problem. Tech savvy folks generally know better, but non-tech dont. This has more potential to cause problems for these in the enterprise group as their devices might have access to data, outside the normal web, that their normal enterprise apps use. Such fake apps could potentially gain access to that data.
Assuming people will know better is usually a bad approach. The amazing range of scams that occur every week in the news cycle are example of that fact. Apple may well step in to control these options more firmly as they have recently done in other security related areas.
Yeah uuuum...
This pretty well confirms my suspicions IMO. The 'virus' requires a pirated enterprise certificate. Most people don't know about them but if you work for a biiiig company your company will be able to install their own apps through a website.
Musclenerd always did this but didn't because the company he pirated the certificate from would be faaaaaaarked. Chinese dudes with an old Chinese certificate that belongs to a Chinese company that's either owned by the Chinese government or no longer exists... they don't have those same 'ethics'. They just but an old pirated cert out there (which is why you HAVE to change your date for it to work... or well... maybe don't with some new pirated certs).
Jailbreaking isn't the issue and won't make you more vulnerable. Downloading emulators/pirated apps from websites... don't these people wonder 'WHY DOES THIS WORK?!??!?' In short DON'T download pirated apps/emulators (with a boot load of pirated ROMs) from ANY website.
This isn't a worm or security flaw or ANYTHING!!! They're using an enterprise certificate (which don't come cheap) and are using standard install steps to install trojans. It's like the old Hotline trick when somebody was p!ssing you off and asking you how to hack stuff!!! 'Oh yeah, I know how to hack people... hack your ex girlfriend using this nice little app I just put together!!' BOOO BOOOOOM!!!! 'AAAAARGH YOU TRICKED ME!!! MY COMPUTER NO LONGER BOOTS NOW!!!! B@ST@RD!!!!!!!!'
That's all they're doing. It's not as if some worm is tunneling through iOS/OS X using some major security flaw that Apple needs to (can) patch. The only fix for this 'bug' is to not let idiots install software.
So those who want Apple to ramp up security are saying that Apple should protect users from their idiotic decision to download from 3rd party app stores or apps from dodgy sites (pirated apps?) and bypass installation warnings from the system. This is a non-issue if you follow the rules from Apple of simply getting your apps from their App Store.
Please read up on the subject. Masque has absolutely nothing to do with Gmail. It was an example, albeit a very bad one based on responses on this site.
Above.
OT: If Apple closes the vulnerability, then this issue will die... until the next issue arises. We should start getting used to it. The more ubiquitous Apple becomes, the more viable it is as a target, and the more resources hackers will dedicate to penetrating it.
This only happens on an iPhone that bends, which also Apple denies existence of.
That's right, we've got to keep the humor flowing.
Now that I'm using the original Apple "iP6+ Bendy" model that requires being handled with kid gloves things will never be the same.
Wadding up a One Thousand Dollar iPhone... Is an awful thought.
WoooHooo
True, but people don't. We have air bags and seat belts for similar reasons. People do dumb stuff that affects others.
So being able to install apps from outside sources on iOS is a security flaw but on windows, android, etc, it's a feature? You know that phishing can happen on any operating system right?
This happens only to stupid and ignorant people and people that purposely bend their iPhones, enough said...This only happens on an iPhone that bends, which also Apple denies existence of.
Ignorance is bliss...
You might want to read my post first. Who knows, you might even have something relevant to say afterwards.
My post has as much to do with Gmail as the masque attack has: It's an example of a user-installed app that may be targeted.