iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jun 17, 2015.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A team of six researchers from Indiana University, Georgia Tech and Peking University have published an in-depth report exposing a series of security vulnerabilities that enable sandboxed malicious apps, approved on the App Store, to gain unauthorized access to sensitive data stored in other apps, including iCloud passwords and authentication tokens, Google Chrome saved web passwords and more.


    The thirteen-page research paper "Unauthorized Cross-App Resource Access on Mac OS X and iOS" details that inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits.
    The different cross-app and communication mechanism vulnerabilities discovered on iOS and OS X, identified as XARA weaknesses, include Keychain password stealing, IPC interception, scheme hijacking and container cracking. The affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others.


    Lead researcher Luyi Xing told The Register that he reported the security flaws to Apple in October 2014 and complied with the iPhone maker's request to withhold publishing the information for six months, but has not heard back from the company since and is now exposing the zero-day vulnerabilities to the public. The flaws affect thousands of OS X apps and hundreds of iOS apps and can now be weaponized by attackers.

    Article Link: iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data
     
  2. neuropsychguy macrumors 65816

    neuropsychguy

    Joined:
    Sep 29, 2008
    #2
    Any indication that the flaws are still there or has Apple already silently addressed the issue?
     
  3. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
  4. himanshumodi macrumors regular

    himanshumodi

    Joined:
    May 18, 2012
    Location:
    India
    #4
    Umm... "... and can now be weaponized by attackers"?? Because the he has made the knowledge of the existence of flaws public? I hope the exact nature of the flaws has been made known to Apple and hope Apple has an official response to this.
     
  5. melb00m macrumors regular

    Joined:
    Feb 4, 2011
    #5
    I don't know how this is a security issue. The Keychain entry explicitly says "Allow access" for both apps.
     
  6. Craiger macrumors 6502a

    Craiger

    Joined:
    Jul 11, 2007
    #6
    Did you read the entire article? It said Apple was told 6 months ago.
     
  7. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #7
    If this is a legitimate vulnerability, and it appears to be, it would not be patched silently. Let's hope it's fixed in 10.10.4 and iOS 8.4.
     
  8. horsebattery, Jun 17, 2015
    Last edited: Jun 17, 2015

    horsebattery macrumors 6502

    Joined:
    Sep 24, 2013
    #8
    Once again, MR leaves out pertinent information. From the Register's article:
    They also claim that a temporary fix has been pushed into Chrome, but 1Password is still affected:
     
  9. kwokaaron macrumors 6502a

    kwokaaron

    Joined:
    Sep 20, 2013
    #9
    I don't get why this security flaws reported to Apple always seems to get the cold shoulder. Fix when El Capitan is released?
     
  10. AngerDanger, Jun 17, 2015
    Last edited: Jun 17, 2015

    AngerDanger macrumors 68040

    AngerDanger

    Joined:
    Dec 9, 2008
    #10
    Fantastic, an article that tempts me to shut off my computer and mobile device then spend the next few months/years paranoid and awaiting news of a patch. Way to go, Apple!
     
  11. chrfr macrumors 604

    Joined:
    Jul 11, 2009
    #11
    A 3rd party sandboxed application shouldn't be able to make a keychain entry that a different application can access.
     
  12. stanleyRoper, Jun 17, 2015
    Last edited: Jun 17, 2015

    stanleyRoper macrumors member

    Joined:
    Jul 14, 2005
  13. ViktorEvil macrumors member

    ViktorEvil

    Joined:
    Oct 8, 2014
    Location:
    England
    #13
    6 months should be plenty of time to fix this. Not good Apple, not good :(
     
  14. TheTissot11 macrumors regular

    Joined:
    Feb 21, 2013
    Location:
    Germany
    #14
    Because Federighi, though might be a great guy, is busy making funny videos for Keynotes instead of devoting time to iron out bugs and make the OS X secure. Sadly this seems to be true...
     
  15. Alenore macrumors 6502

    Joined:
    Apr 7, 2013
  16. Phil A. Moderator

    Phil A.

    Staff Member

    Joined:
    Apr 2, 2006
    Location:
    Shropshire, UK
    #16
    Apple should have fixed this issue, but I don't see the point in hyperbole: All systems have vulnerabilities and Google / Samsung / Sony / HTC / Apple are all as bad as each other. There's an article on the same website (the register) today about a flaw in the latest Samsung phones that will allow the installation of malware simply by connecting to a compromised WiFi service so it's not been a good day all round for software!
     
  17. Westside guy, Jun 17, 2015
    Last edited: Jun 17, 2015

    Westside guy macrumors 603

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #17
    You apparently didn't read this paper because it also mentions similar, significant issues on Android.

    Security is hard.
     
  18. Traverse macrumors 604

    Traverse

    Joined:
    Mar 11, 2013
    Location:
    Here
    #18
    But the average user will allow anything or just tap "Ok" without reading just to get a notification out of the way.
     
  19. LordBeelzebub macrumors regular

    Joined:
    Aug 22, 2013
    #19
    There is no such thing as security from this sort of thing. For every programmer that writes a security program that is supposed to keep our information secure, there is a hacker out there that can decode/hack the program to steal what ever they want.

    Apple could come out with a patch today to fix the current problem, but tomorrow someone else finds a way to hack it.

    There is no such thing as security.
     
  20. perkedel macrumors 6502a

    perkedel

    Joined:
    Dec 30, 2014
    Location:
    California
    #20
    This is probably not get patched for a while,
    It looks like Apple is too busy with the Watch!
     
  21. neuropsychguy, Jun 17, 2015
    Last edited: Jun 17, 2015

    neuropsychguy macrumors 65816

    neuropsychguy

    Joined:
    Sep 29, 2008
    #21
    Thanks for pulling that out of the article. I read the Register article after commenting and saw that statement in there; I was mainly asking in the hope that MacRumors staff would update their article to state that it was still affecting apps and devices. Sure, it's good to click through to the Register article but I read MacRumors in part so I don't always have to click through to other sources to get the pertinent information. As you noted, stating that this still is affecting devices and apps is pertinent information.
     
  22. Rogifan macrumors P6

    Rogifan

    Joined:
    Nov 14, 2011
    #22
    Check this out: http://arstechnica.com/security/201...ng-galaxy-phones-into-remote-bugging-devices/
     
  23. bawbac macrumors 65816

    bawbac

    Joined:
    Mar 2, 2012
    Location:
    Seattle, WA
    #23
    No time address issue at this critical time.
    The Apple Watch will soon be available to order in store!
     
  24. Jess13 Suspended

    Jess13

    Joined:
    Nov 3, 2013
    #24
    Hasn't been fixed because NSA made Apple do this. In other more important news, iTunes has a new icon.
     

Share This Page