iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

Discussion in ' News Discussion' started by MacRumors, Jun 17, 2015.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A team of six researchers from Indiana University, Georgia Tech and Peking University have published an in-depth report exposing a series of security vulnerabilities that enable sandboxed malicious apps, approved on the App Store, to gain unauthorized access to sensitive data stored in other apps, including iCloud passwords and authentication tokens, Google Chrome saved web passwords and more.

    The thirteen-page research paper "Unauthorized Cross-App Resource Access on Mac OS X and iOS" details that inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits.
    The different cross-app and communication mechanism vulnerabilities discovered on iOS and OS X, identified as XARA weaknesses, include Keychain password stealing, IPC interception, scheme hijacking and container cracking. The affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others.

    Lead researcher Luyi Xing told The Register that he reported the security flaws to Apple in October 2014 and complied with the iPhone maker's request to withhold publishing the information for six months, but has not heard back from the company since and is now exposing the zero-day vulnerabilities to the public. The flaws affect thousands of OS X apps and hundreds of iOS apps and can now be weaponized by attackers.

    Article Link: iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data
  2. neuropsychguy macrumors 65816


    Sep 29, 2008
    Any indication that the flaws are still there or has Apple already silently addressed the issue?
  3. lowendlinux Contributor


    Sep 24, 2014
    North Country (way upstate NY)
  4. himanshumodi macrumors regular


    May 18, 2012
    Umm... "... and can now be weaponized by attackers"?? Because the he has made the knowledge of the existence of flaws public? I hope the exact nature of the flaws has been made known to Apple and hope Apple has an official response to this.
  5. melb00m macrumors regular

    Feb 4, 2011
    I don't know how this is a security issue. The Keychain entry explicitly says "Allow access" for both apps.
  6. Craiger macrumors 6502a


    Jul 11, 2007
    Did you read the entire article? It said Apple was told 6 months ago.
  7. chrfr macrumors 604

    Jul 11, 2009
    If this is a legitimate vulnerability, and it appears to be, it would not be patched silently. Let's hope it's fixed in 10.10.4 and iOS 8.4.
  8. horsebattery, Jun 17, 2015
    Last edited: Jun 17, 2015

    horsebattery macrumors 6502

    Sep 24, 2013
    Once again, MR leaves out pertinent information. From the Register's article:
    They also claim that a temporary fix has been pushed into Chrome, but 1Password is still affected:
  9. kwokaaron macrumors 6502a


    Sep 20, 2013
    I don't get why this security flaws reported to Apple always seems to get the cold shoulder. Fix when El Capitan is released?
  10. AngerDanger, Jun 17, 2015
    Last edited: Jun 17, 2015

    AngerDanger macrumors 68040


    Dec 9, 2008
    Fantastic, an article that tempts me to shut off my computer and mobile device then spend the next few months/years paranoid and awaiting news of a patch. Way to go, Apple!
  11. chrfr macrumors 604

    Jul 11, 2009
    A 3rd party sandboxed application shouldn't be able to make a keychain entry that a different application can access.
  12. stanleyRoper, Jun 17, 2015
    Last edited: Jun 17, 2015

    stanleyRoper macrumors member

    Jul 14, 2005
  13. ViktorEvil macrumors member


    Oct 8, 2014
    6 months should be plenty of time to fix this. Not good Apple, not good :(
  14. TheTissot11 macrumors regular

    Feb 21, 2013
    Because Federighi, though might be a great guy, is busy making funny videos for Keynotes instead of devoting time to iron out bugs and make the OS X secure. Sadly this seems to be true...
  15. Alenore macrumors 6502

    Apr 7, 2013
  16. Phil A. Moderator

    Phil A.

    Staff Member

    Apr 2, 2006
    Shropshire, UK
    Apple should have fixed this issue, but I don't see the point in hyperbole: All systems have vulnerabilities and Google / Samsung / Sony / HTC / Apple are all as bad as each other. There's an article on the same website (the register) today about a flaw in the latest Samsung phones that will allow the installation of malware simply by connecting to a compromised WiFi service so it's not been a good day all round for software!
  17. Westside guy, Jun 17, 2015
    Last edited: Jun 17, 2015

    Westside guy macrumors 603

    Westside guy

    Oct 15, 2003
    The soggy side of the Pacific NW
    You apparently didn't read this paper because it also mentions similar, significant issues on Android.

    Security is hard.
  18. Traverse macrumors 604


    Mar 11, 2013
    But the average user will allow anything or just tap "Ok" without reading just to get a notification out of the way.
  19. LordBeelzebub macrumors regular

    Aug 22, 2013
    There is no such thing as security from this sort of thing. For every programmer that writes a security program that is supposed to keep our information secure, there is a hacker out there that can decode/hack the program to steal what ever they want.

    Apple could come out with a patch today to fix the current problem, but tomorrow someone else finds a way to hack it.

    There is no such thing as security.
  20. perkedel macrumors 6502a


    Dec 30, 2014
    This is probably not get patched for a while,
    It looks like Apple is too busy with the Watch!
  21. neuropsychguy, Jun 17, 2015
    Last edited: Jun 17, 2015

    neuropsychguy macrumors 65816


    Sep 29, 2008
    Thanks for pulling that out of the article. I read the Register article after commenting and saw that statement in there; I was mainly asking in the hope that MacRumors staff would update their article to state that it was still affecting apps and devices. Sure, it's good to click through to the Register article but I read MacRumors in part so I don't always have to click through to other sources to get the pertinent information. As you noted, stating that this still is affecting devices and apps is pertinent information.
  22. Rogifan macrumors P6


    Nov 14, 2011
    Check this out:
  23. bawbac macrumors 65816


    Mar 2, 2012
    Seattle, WA
    No time address issue at this critical time.
    The Apple Watch will soon be available to order in store!
  24. Jess13 Suspended


    Nov 3, 2013
    Hasn't been fixed because NSA made Apple do this. In other more important news, iTunes has a new icon.

Share This Page