Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
If this is exploitable by AppStore apps, this is exploitable by all apps. There's nothing AppStore apps can do that others can't.
My guess is they purposely don't make a big deal about security flaws for a few reasons. One is not to scare off new customers. Two is not to get people demanding a fix when it's going to take time to get it done. And three, why publicize a flaw in order to pull attention to it to hackers? That's like telling prisoners that the Guards are all off to dinner between 5-6pm and no one is watching them.
I'm pretty confident that Apple, and no other company like Apple or Google, or Samsung ignores serious flaws like this. But people should remember, not everything is a 5 min fix and when you have 100's of thousands of customers out using your software, it's a big deal to release an update.
Here ya go.
More seriously... security is hard; plus it's a tradeoff against convenience. AND even when (as Blackberry has done) you make pro-security choices, those can then leave you vulnerable in other ways (like introducing single points of failure that can completely block a large chunk of your user base).
Last edited:
app like 1Password is something to not trust all this save password app and servers are stupid they are the #1 Target in days for hackers the only good thing I see so far is the two-step verification
Apple has always had this "We're totally secure." attitude.
We met with the iOS security team back in 2007 to show them a new tool we'd created that allows us to pull all the information from an iPhone. Pictures, texts, emails, previous location data, wifi networks it's used, phone logs, app data and much more. Their response? iOS is secure and there is no need to change. Even though we demonstrated it to them that we could pull all of this data.
Since they chose not to work with us, we went on to sell the product to government agencies across the world including the big names here in the US and still do. Apple's own gov sales guys love the product and help to sell it as it means more hardware sales too.
We met with the iOS security team back in 2007 to show them a new tool we'd created that allows us to pull all the information from an iPhone. Pictures, texts, emails, previous location data, wifi networks it's used, phone logs, app data and much more. Their response? iOS is secure and there is no need to change. Even though we demonstrated it to them that we could pull all of this data.
Since they chose not to work with us, we went on to sell the product to government agencies across the world including the big names here in the US and still do. Apple's own gov sales guys love the product and help to sell it as it means more hardware sales too.
They were pointing out the typo in "paper research paper". Thirteen pages tells me that there is some data to back up the researchers assertions. As a humble brag, it was pretty humble.
But the paper also contains the following statement:
To also allow you to use keychain passwords in Chrome, I would guess.
okay... ? those are all inconclusive fictional search results.
we have had huge security breaches that occured w/ celeb picture hacking/ leaks, Sony server compromised all BYOD's, so they had to dust off the old BlackBerrys because their BES was the only server running...
BlackBerry has a history of being secure. new threats will ALWAYS come out. so nothing can be instantaneous. thats why we have to look at history.
Once a year I fall for an Apple security threat story, and think "this is finally the one that matters" to me. Then I learn the reality of the details and forget about it.
But yet again, this one DOES feel like the one that matters to me. As for the time--sure, it might take more than 6 months to fix a complex enough problem and be sure of not breaking something else. But then, answer the people who are threatening to expose the bugs. Try to negotiate! (Or maybe Apple did so--we don't have proof.)
I'm glad researchers are finding stuff to fix, but I really hate the ransom-and-publicity model. Set a deadline—goals are great—but dont' expose the public if the deadline needs to be extended. Which they KNOW it does because they can see that the vulnerability remains. It's like they're little children, lashing out because Apple didn't answer them back--or a publicity stunt.
Cost vs. benefits: what's the cost of the researchers going public now instead of waiting? What's the benefit? If the goal is to shame Apple into fixing deep/complex things faster, then you still should wait: and then AFTER the fix, shame Apple by revealing how long it took. In short: use PR against Apple. Don't use the security of real people against Apple.
My main Q: defense in the short-term. Don't use apps from the vulnerable list (including Mail)? And don't give any new apps Keychain access? What's the best current practice, and how much does it help?
The Apple celeb picture hack was a fiction. A bunch of pictures had been stolen over YEARS from MANY different platforms by many different means. It wasn't a recent, single event. It wasn't Apple-specific. And Apple's systems were not breached (other companies' may have been--a lot of techniques were used). Rather, the passwords were guessed. Celebs who will be targeted should use better passwords AND 2-factor authentication. The first, Apple helped with TouchID (although you can still CHOOSE a weak password, something I expect to be disallowed one day); the second Apple helped by expansing 2-factor auth. But you can't retroactively help all the people who over the years never appreciated the need for strong passwords.
But yet again, this one DOES feel like the one that matters to me. As for the time--sure, it might take more than 6 months to fix a complex enough problem and be sure of not breaking something else. But then, answer the people who are threatening to expose the bugs. Try to negotiate! (Or maybe Apple did so--we don't have proof.)
I'm glad researchers are finding stuff to fix, but I really hate the ransom-and-publicity model. Set a deadline—goals are great—but dont' expose the public if the deadline needs to be extended. Which they KNOW it does because they can see that the vulnerability remains. It's like they're little children, lashing out because Apple didn't answer them back--or a publicity stunt.
Cost vs. benefits: what's the cost of the researchers going public now instead of waiting? What's the benefit? If the goal is to shame Apple into fixing deep/complex things faster, then you still should wait: and then AFTER the fix, shame Apple by revealing how long it took. In short: use PR against Apple. Don't use the security of real people against Apple.
My main Q: defense in the short-term. Don't use apps from the vulnerable list (including Mail)? And don't give any new apps Keychain access? What's the best current practice, and how much does it help?
The Apple celeb picture hack was a fiction. A bunch of pictures had been stolen over YEARS from MANY different platforms by many different means. It wasn't a recent, single event. It wasn't Apple-specific. And Apple's systems were not breached (other companies' may have been--a lot of techniques were used). Rather, the passwords were guessed. Celebs who will be targeted should use better passwords AND 2-factor authentication. The first, Apple helped with TouchID (although you can still CHOOSE a weak password, something I expect to be disallowed one day); the second Apple helped by expansing 2-factor auth. But you can't retroactively help all the people who over the years never appreciated the need for strong passwords.
Last edited:
Every time there's an article like this I always notice that none of this crap has happened to me. I happen to wonder if it's just something "discovered" because it never really makes news so much that these issues are widespread. I've been on Macs for more than 15 years and not once have I had a security breach.
6 months should be plenty of time to fix this. Not good Apple, not good
Too busy with Apple Watch.
Or they were using the security through obscurity approach. Worked until news of this got out.
From a developer point of view I say: Sandbox was a bag of hurl to begin with, limiting ideas which would have been great to distribute via the App Store. Nontheless, we all adapted and now this. I hope, this is a bug in sandboxd which could be fixed with relatively small effort and without limiting the ecosystem.
I hope, a fix will just work and if necessary we developers can simply re-upload a new version and be be done with it. I really hope, they do not stop accepting apps for older versions of MacOSX. That would be desastrous.
I hope, a fix will just work and if necessary we developers can simply re-upload a new version and be be done with it. I really hope, they do not stop accepting apps for older versions of MacOSX. That would be desastrous.
I'm sure that the NSA knew about this from the beginning...
6 months should be plenty of time to fix this. Not good Apple, not good
According to whom?
You have 30 seconds to create Netflix 2. Go!
Didn't do it? That should have been plenty of time. Not good ViktorEvil, not good
Yes. Many OS X and iOS vulnerabilities require user interaction, which is a doubled edged sword. For an aware user (like most of the MacRumors crowd) this makes the OS safer, but this is a problem for the general users. Apple will have to patch this so their customers don't harm themselves.
So how many users have harmed themselves from this exploit so far? Can't be many people because if it was it would be all over the news.
I understand the seriousness of these security flaws. Does the article mention the apps the researchers uploaded to verify them ? And if not why not ? If they are so eager to do good for security the least they could do is say what apps they uploaded to do this.
I never said any of them have. I said the potential was there and that Apple needed to fix it because some users will open themselves up to this when they just tap "Allow," "Ok," etc.
The researcher's claims are slightly exaggerated - several of their claimed flaws aren't flows but how internet standards and IPC (websockets, URL schemes) are designed. IPC is outside of your app's control data sent out or in should be protected and verified. This is something your average developer should know.
I went into more detail for those interested here: https://www.larrysalibra.com/security-researchers-claim-internet-standards-are-apple-security-flaw/
PS: Macrumors sends forum password reset sends a new password in cleartext to you and doesn't use https. #facepalm
I went into more detail for those interested here: https://www.larrysalibra.com/security-researchers-claim-internet-standards-are-apple-security-flaw/
PS: Macrumors sends forum password reset sends a new password in cleartext to you and doesn't use https. #facepalm