iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

[Temptin]

Hahahahah, I watched the two videos. More bs meant to scare Apple users. This is pathetic and barely an exploit at all. A 12 year old could figure these out in an afternoon. Apple doesn't even need to fix this. That's how pathetic these "exploits" are.

Laughable "Exploit" #1:
* A malicious app tells Keychain Access to store a "blank" password for a site (like Facebook.com), with access rights by both Google Chrome/Safari/Whatever browser, *and* the evil app.
* The user logs in to the site and tells their browser to save the password, which puts the real (non-blank) password in the Keychain.
* Since the evil app created the keychain entry, it still has access to read it and can see the real password.
* This exploit requires that the malicious app knows your website login username/email already, so that it can create a dummy entry with the correct login name, so that the browser will update that exact Keychain Access entry with the password.
* This exploit only works if there's NOT ALREADY a password entry stored for that site. If there's an existing entry, it cannot overwrite it/add itself as access to it without triggering OS X's "allow this app to access Facebook.com in your keychain?" dialog, which means almost nobody will be hit by this exploit since most people have already stored their passwords.
* This is not a flaw of Keychain Access. It's working as intended: Allowing more than one app to access keychain access entries. Although Apple *might* want to lock it down so that apps can only add themselves (not other apps) to the access list. If so, it would be impossible for a malicious app to add the browser to the access list of the dummy/blank login. Although this would just cause the browser to trigger the "allow the browser to access Facebook.com in your keychain?" dialog, and most people would accept that, so it wouldn't really solve the problem. And as mentioned, it's an extremely minor problem and requires that the exploit knows your email/username for the site *and* adds the Keychain Access entry *before* the browser has added any. For most users, they will already have entries for all sites they use, so the malicious app can't do jack sh$t. And again: A malicious app needs to know your exact email/username as well, which is already extremely unlikely.
* Lastly: 1Password does not use Keychain Access. At all. Use that password manager instead. It's also far more portable, working on Windows and iOS as well, and has Dropbox sync. And of course it lets you store all kinds of other useful, secret data, like Software Licenses.

Laughable "Exploit" #2:
* A malicious sandboxed app is able to read files from other sandboxed apps. The researchers call this "cross-app resource access" or XARA for short.
* (Not shown in the video, but far more serious) A malicious non-sandboxed (non-App Store) app can read any file the user owns on the filesystem.
* When you can read files on their system, you can of course steal secrets from other apps.
* This is not a problem: 1Password's secrets are encrypted. I would happily email my entire 1Password database to the NSA. Having the database is worthless if they don't also have the password, and my password takes hundreds of trillions of years to crack, so not even the NSA can do it (*period*; it's mathematically impossible even if they had ten thousand working quantum computers).
* What is a problem is that malicious apps can steal unencrypted user files and send them away. But that's always been a problem on every OS ever. Don't install/run weird software.
* As for sandboxed apps: Yes, Apple should fix it so that sandboxed apps can't read each other's data directories. But it's a very minor issue. Your system is already no-doubt full of non-sandboxed software, and *that* software has access to the *whole* filesystem. A sandboxed (App Store) app only has access to its sandbox and the sandboxes of other App Store apps.

 

[Crosscreek]

I have been using Sentinel Pro Antivirus for the past 3 months when I noticed unusual activity on my network. I had several MIM attacks every day until the latest OS X Beta update for Yosemite. All attacks seem to have stopped so I guess Apple has addressed the problem but no way to know for sure.

I have no way of knowing about IOS except I get a lot of requests for email passwords that I blow off and still get my email so my guess is it has not been fixed.

To go 6 months without telling us is not good business for something as serious as this.

Apple is getting lax in it's priorities of security IMHO.

 

[till213]

Any indication that the flaws are still there...

Yes. They made the bugs public. Indication enough for you?

 

[maflynn]

It's fixed in the current 10.10.4/ iOS 8.4 betas.

That's good to know, yet it reinforces my opinion that we are not days away from getting this fixed.

 

[chrfr]

That's good to know, yet it reinforces my opinion that we are not days away from getting this fixed.

It's not inconceivable that this is patched in those updates too, as Apple does not preannounce security fixes. It's also conceivable that they make us wait until iOS 9 and OS X 10.11 for fixes.

 

[jwdsail]

A team of six researchers from Indiana University, Georgia Tech and Peking University have published an in-depth report exposing a series of security vulnerabilities that enable sandboxed malicious apps, approved on the App Store, to gain unauthorized access to sensitive data stored in other apps, including iCloud passwords and authentication tokens, Google Chrome saved web passwords and more.

The thirteen-page research paper "Unauthorized Cross-App Resource Access on Mac OS X and iOS" details that inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits.The different cross-app and communication mechanism vulnerabilities discovered on iOS and OS X, identified as XARA weaknesses, include Keychain password stealing, IPC interception, scheme hijacking and container cracking. The affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others.

Lead researcher Luyi Xing told The Register that he reported the security flaws to Apple in October 2014 and complied with the iPhone maker's request to withhold publishing the information for six months, but has not heard back from the company since and is now exposing the zero-day vulnerabilities to the public. The flaws affect thousands of OS X apps and hundreds of iOS apps and can now be weaponized by attackers.

Article Link: iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

So,

Just so I can make sure I'm getting the gist of this:

A user must instal a malicious app, a trojan, which will likely require them to change the default system preference to allow an unsigned app to be installed. This will require them to go to System Preferences and change the security settings, requiring an Admin username and password.

Then, the user must also allow that app access to the keychain.

Then, the app creates a new keychain entry, but rather than it being an entry for it's own servers/services, it's an entry that will prompt a user to enter credentials for, FaceBook, DropBox, etc. Of course most users don't remember this info, that's why they keep it in the KeyChain in the first damn place, so they go through whatever process required to retrieve the credentials through the service in question, or turn off the Mac and do something else. Sooner or later, the user may actually find and reenter the login info.

The malicious app can then harvest that data.

ok.

Seems to be a Rube Goldberg approach to get credentials, when someone adept at social engineering could likely get more damaging info by making the right phone call or email to the right person?

Or am I misunderstanding a key step in the process?

Not saying it shouldn't be fixed by Apple ASAP. Just that it reads as an inefficient method compared to other phishing approaches already in use by crooks out there.

 

[chrfr]

AgileBits, the developers of 1Password have comments on this issue. There is something to the vulnerability, and it's going to be difficult to fix.
https://discussions.agilebits.com/discussion/comment/212590/#Comment_212590

 

[Temptin]

AgileBits, the developers of 1Password have comments on this issue. There is something to the vulnerability, and it's going to be difficult to fix.
https://discussions.agilebits.com/discussion/comment/212590/#Comment_212590

@chrfr Please read what you link to before linking it.

I'll leave it to you and other people to figure out why the page you linked to has nothing to do with the OS X keychain vulnerability. Hint about how to solve that quest: Read the page you linked to.

Quest rewards, should you complete this quest:

100 XP
10 Copper
1x [Welcome to the Internet Instructional Booklet]

Bonus objective: Read the other replies by AgileBits staff, to see why your 1Password data is safe no matter what.

Bonus rewards: 200 XP, 1x ["I Can Read Long Words!" Award]

 

[chrfr]

@chrfr Please read what you link to before linking it.

I'll leave it to you and other people to figure out why the page you linked to has nothing to do with the OS X keychain vulnerability. Hint about how to solve that quest: Read the page you linked to.

Quest rewards, should you complete this quest:

100 XP
10 Copper
1x [Welcome to the Internet Instructional Booklet]

Before you join a forum and start being a jerk, read the original article, and read what I linked. This is the "XARA" vulnerability, which compromises data passing between applications. The ability to compromise the keychain is only one vulnerability exposed by the researchers.

 

[Jess13]

And different tinted emojis.

With creepy eyes.

 

[Temptin]

Before you join a forum and start being a jerk, read the original article, and read what I linked. This is the "XARA" vulnerability, which compromises data passing between applications. The ability to compromise the keychain is only one vulnerability exposed by the researchers.

Before you spread alarmist garbage in the latest "let's all panic about Apple" craze topic, please read what you link to.

I'll summarize it then, since you're not going to read:

* 1Password has NOTHING to do with the OS X keychain. Or, to quote AgileBits staff in the page you linked to: "Significantly, Agile Keychain is not the same thing as (or even peripherally related to) the OS X or iOS Keychain, which is (are?) the subject of the article."
* The only issue with 1Password is that a malicious app, *if it starts BEFORE 1Password Mini* (not normally possible, since Mini is configured to start at system login), will be able to bind to the local IPC port and pretend to be 1Password mini. If you visit a webpage and manually type in a password, the 1Password extension will ask "Do you want to save the password for site X?" - and if you hit Save, it gets sent over IPC to the malicious app pretending to be 1Password Mini. The malicious app does NOT get access to ANY of your pre-saved passwords, but it DOES get any NEW saved passwords. But you would notice this anyway, for a very simple reason: Since the malicious app would be using the port, the browser extension would not be able to talk to 1Password Mini, so you could not click the browser toolbar button to see your saved passwords, auto-login to sites, and so on. You'd notice this way before you *ever* typed in a brand new password and hit "Save." So this "1Password Mini impersonation" is very close to a complete non-issue. 1Password was designed with potential "1Password mini service" impersonation in mind, and the devs knew about the possibility from day 1, and made sure that it does *not* leak any data.

 

[MyNameIsJon]

@chrfr Please read what you link to before linking it.

I'll leave it to you and other people to figure out why the page you linked to has nothing to do with the OS X keychain vulnerability. Hint about how to solve that quest: Read the page you linked to.

What am I missing here? It appears that the linked post is referencing cross-app resource access attacks (XARA), one of the vulnerabilities detailed in the white paper in question.

Hi all,
We've had long conversations over the past several months with Luyi Xing and his team that analyzed these problems and have looked at their demonstration of attacks against the communication between the 1Password Browser Extension and 1Password Mini. They have been excellent at providing us with details and information upfront.
What makes this particular attack more worrisome than other attacks that depend on malware running on your system is that the malware in this case does not need to be "admin" or "root".
As always, we are limited in what we can do in the face of malware running on the local machine.

 

[jimtonic01]

@Temptin
please read the paper

 

[Temptin]

@MyNameIsJon: See post #112 for a summary of the 1Password thread and why it has nothing to do with Keychain Access, and why the "1Password Mini impersonation" issue is bogus too.

And in my earlier post #102, you can read why XARA (cross-app resource access) doesn't matter and doesn't compromise the security of 1Password.

 

[Temptin]

@Temptin
please read the paper

The paper is here and I've already read it:
https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view

It says nothing I didn't already cover in my posts in this thread. Starting from post #102 and onwards, if you're curious.

 

[keifer.street]

I've been an OS X / iOS user for about 8 years... Apple has ALWAYS been extraordinarily sluggish to resolve publicly reported bug fixes or security patches.

The WPA2 Enterprise Wi-Fi dropping in iOS 8 persists today on all iOS 8.3 devices, even though it's been reported nearly a year ago. That's just ridiculous. Absurd even. My wi-fi is dropping and re-connecting even as I write this post (but my iOS 7 devices maintain a solid connection - so not a networking issue - definitely OS related). Everyone in my office with iOS 8 has the same problem (but not on their iOS 7 devices), so I know it's not just me And it has been reported here and in other Apple forums with thousands of replies with 'I'm having the same issue'

And now this? Apple had 6 months to fix what is arguably a very serious security flaw in their design and no fix? So they have to be strong-armed by third parties who publish it to the public to force Apple's hand?

Apple should be pro-active on stuff like this, not re-active like it's been for the past 8 years. It seems like they have a serious problem with resources or prioritization when it comes to security patches and bug fixes. In all of their software.

And God help you if you ever call Apple support with a 'real' issue that requires coding to fix. You might as well just wait for the next version of OS X or iOS to pop before they fix the issue... they'll 'escalate' it to engineers and it will just sit in a queue, ignored until the next release.

They need to re-shift some of their focus to improve response times on stuff like this to customer satisfaction or they'll risk becoming the new Microsoft...

 

[mag01]

@Temptin What? The MR article is about the multiple-vulnerability report as a whole, not just about some single vulnerability. @chrfr correctly linked the AgileBits comments regarding one of them.
Where do you see anything that he has to take just some specific one into account here, completely ignoring all others?

 

[chrfr]

Before you spread alarmist garbage in the latest "let's all panic about Apple" craze topic, please read what you link to.

I'll summarize it then, since you're not going to read:

* 1Password has NOTHING to do with the OS X keychain. Or, to quote AgileBits staff in the page you linked to: "Significantly, Agile Keychain is not the same thing as (or even peripherally related to) the OS X or iOS Keychain, which is (are?) the subject of the article."
* The only issue with 1Password is that a malicious app, *if it starts BEFORE 1Password Mini* (not normally possible, since Mini is configured to start at system login), will be able to bind to the local IPC port and pretend to be 1Password mini. If you visit a webpage and manually type in a password, the 1Password extension will ask "Do you want to save the password for site X?" - and if you hit Save, it gets sent over IPC to the malicious app pretending to be 1Password Mini. The malicious app does NOT get access to ANY of your pre-saved passwords, but it DOES get any NEW saved passwords.

I'm not sure why you think having a discussion about a security vulnerability, even if, as in this case, it's extremely unlikely, is alarmist.
-I made no inference that this affected, nor was related to, Apple's Keychain.
-If this vulnerability can capture new passwords by masquerading as 1Password Mini, I see no reason in the report or the Agilebits forum posts why a masquerading extension could not capture the master password as well.

 

[Temptin]

@mag01: The paper is about OS X keychain access multi-app permissions, and about XARA (cross-app resource access) which lets apps read the contents of other apps.

When chrfr just dumps a link and says "the AgileBits devs say there is something to the vulnerability and it's going to be difficult to fix," he spreads unnecessary fear and betrays the fact that he hasn't read the page he linked to.

Here's the summary of all issues: OS X keychain access, XARA cross-app file access, and 1Password Mini impersonation:

Post #112 - summary of the 1Password thread and why it has nothing to do with Keychain Access, and why the "1Password Mini impersonation" issue is bogus too.

Post #102 - why the "keychain access problem" is not a problem at all, and why XARA (cross-app resource access) doesn't matter and doesn't compromise the security of 1Password, nor the system at large.

 

[MyNameIsJon]

@MyNameIsJon: See post #112 for a summary of the 1Password thread and why it has nothing to do with Keychain Access, and why the "1Password Mini impersonation" issue is bogus too.

And in my earlier post #102, you can read why XARA (cross-app resource access) doesn't matter and doesn't compromise the security of 1Password.

Post #112 seems to not be referring to the AgileBits post that was linked. You are referencing discussion in https://discussions.agilebits.com/discussion/comment/212539/#Comment_212539, not the originally linked https://discussions.agilebits.com/discussion/comment/212590/#Comment_212590.

Post #102 doesn't talk to XARA addressed by AgileBits as discussed in https://discussions.agilebits.com/discussion/comment/212590/#Comment_212590 either.

 

[chrfr]

When chrfr just dumps a link and says "the AgileBits devs say there is something to the vulnerability and it's going to be difficult to fix," he spreads unnecessary fear and betrays the fact that he hasn't read the page he linked to.

Again, I read both the link I posted and the report. This is a discussion forum. We're discussing; you're dismissing the discussion as nonsense.

 

[Temptin]

Post #112 seems to not be referring to the AgileBits post that was linked.
Post #102 doesn't talk to XARA addressed by AgileBits either.

Post #112 does talk about the *entire* 1Password thread; and details the *only* issue with 1Password: "1Password mini impersonation", and why it's practically a non-issue. 1Password was designed with potential "1Password mini service" impersonation in mind, and the devs knew about it from day 1. It's pretty much the first question that would come up in anyone's mind: "Okay, we're designing a browser extension; how do we make it guarantee that it's talking to 1Password"? - and they did a great job. Impersonation doesn't leak any of your data or your master password, and would be quickly detected by the user since they would not have access to their saved passwords (since the real 1Password Mini service would not be running).

Post #102 does talk about "XARA as address by AgileBits"; read the section for "exploit #2" there, that's the "XARA" one.

I'm not sure why you think having a discussion about a security vulnerability, even if, as in this case, it's extremely unlikely, is alarmist.
-I made no inference that this affected, nor was related to, Apple's Keychain.
-If this vulnerability can capture new passwords by masquerading as 1Password Mini, I see no reason in the report or the Agilebits forum posts why a masquerading extension could not capture the master password as well.

It's alarmist because your phrasing made it sound, to the casual reader, as if the AgileBits devs "confirmed the OS X security issue and said that it's very serious." But that's not true at all; the page you linked to only spoke about 1Password mini impersonation, thus why I told you to tone down the alarmism and read what you link to before giving others the wrong impression.

And your second question above: No, they can't capture the master password. They only bind to localhost:6263 to set up a server that pretends, towards the browser extension, to be 1Password. What happens next is that if you log in to a *brand new site* in your browser, the extension will ask if you want to save the password. If you say Yes, it gets sent to port 6263 where the malicious app is.

But that malicious app does *not* have the actual 1Password keychain or anything else. And the master password unlocking process is entirely separate from the browser<->mini communication.

All they can do with 1password mini impersonation is to steal brand new saved passwords; and even that's very, very dubious as outlined in post #112.

Discussion is an excellent thing. Dumping alarmist misinformation is not. But never mind, I'll leave the thread since I've already outlined in detail why none of these "issues" are issues at all:

Post #112 - summary of the 1Password thread and why it has nothing to do with Keychain Access, and why the "1Password Mini impersonation" issue is bogus too.

Post #102 - why the "keychain access problem" is not a problem at all, and why XARA (cross-app resource access) doesn't matter and doesn't compromise the security of 1Password, nor the system at large.

 

[chrfr]

Apple doesn't even need to fix this. That's how pathetic these "exploits" are.

* As for sandboxed apps: Yes, Apple should fix

You're even in conflict with yourself on this.

 

[jasnw]

And this "discussion" is why Apple needs to start being pro-active in addressing security issues. The folks over at 1Password are at least talking about it, but there's only so much they can do from the app side of things. This particular vulnerability (via WebSocket inter-process communication (IPC)), involved the malicious app attaching itself to the TCP port 1Password uses for communication between the browser extension and 1Password Mini. Connection to TCP ports and communication via those ports is overseen by the OS, which puts the ball in Apple's court.

So what say you Apple? Is this a serious threat or are we just all bloviating and getting ourselves all worked up over nothing? Or is watching your user base run in circles your favorite corporate game these days?

 

[Temptin]

You're even in conflict with yourself on this.

Wow, you're keeping up your streak of not reading properly. I guess no quest rewards for you. ;-)

There's a difference between the words "doesn't need" and "should". None of the extremely abbreviated and out-of-context text you quoted by me contradicts/conflicts with each other.

And to prove that, here are the full extracts from what you edited all political-style, by the way:

This is pathetic and barely an exploit at all. A 12 year old could figure these out in an afternoon. Apple doesn't even need to fix this. That's how pathetic these "exploits" are.

…

As for sandboxed apps: Yes, Apple should fix it so that sandboxed apps can't read each other's data directories. But it's a very minor issue. Your system is already no-doubt full of non-sandboxed software, and *that* software has access to the *whole* filesystem. A sandboxed (App Store) app only has access to its sandbox and the sandboxes of other App Store apps.

As you can see, the problem is way bigger than just sandboxing. What exactly would Apple gain by restricting sandboxed apps to only their own container? Every non-sandboxed app (and on most systems that's most of them) already has access to the *entire* filesystem.

That's why I said that Apple doesn't NEED to fix this but that they SHOULD because it'd be "nice" to clean things up, but it doesn't improve security since your system is already full of non-sandboxed apps that have *full* filesystem access, which is far worse than sandboxed apps being able to read other sandboxed apps.