Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

SteveW928 said:
I think the point is that Apple does have people who should have been able to fix it within 6 months, or if they didn't, hire them and get them to fix it.

At least it isn't as bad as the last Minecraft server patch, where the guy who found the bug bugged Mojang for OVER TWO YEARS before he finally exposed it, and then they patched it. Sometimes, I guess you just gotta light a fire...
Click to expand...

The point is that one cannot put a time limit onto fixing system bugs or vulnerabilities.
First one needs to recreate it to confirm, then check why it does what it does and how it can be outsmarted.
Then it needs to be tested , so it doesn't screw up other things and then , and then...............

Like it was said a billion if you can fix it tomorrow.
 
Well, at least I don't have password info stored in *most* of those apps listed (I suppose they could crack into my Dropbox?).

I've really been against the idea of various apps storing passwords. My passwords (whenever possible) stay only in my password manager, PasswordWallet. I'm curious though, how 1Password is listed... do they mean the password would be snagged when it's sent to the other app (i.e.: Safari) to log into a site, etc.?
 
Thunderhawks said:
The point is that one cannot put a time limit onto fixing system bugs or vulnerabilities.
First one needs to recreate it to confirm, then check why it does what it does and how it can be outsmarted.
Then it needs to be tested , so it doesn't screw up other things and then , and then...............

Like it was said a billion if you can fix it tomorrow.
Click to expand...

So, you're saying Apple has been hard at work on this for 6 months and just isn't done yet? (Or, Mojang for 2 years!)?

Obviously *we* can't fix it tomorrow... or in 6 months with any amount of money... unless we could buy Apple, I suppose.
 
Thunderhawks said:
The point is that one cannot put a time limit onto fixing system bugs or vulnerabilities.
First one needs to recreate it to confirm, then check why it does what it does and how it can be outsmarted.
Then it needs to be tested , so it doesn't screw up other things and then , and then...............

Like it was said a billion if you can fix it tomorrow.
Click to expand...
Except for the fact that the issue & reasonable cause has been found for sometime now.
Apple is sitting on their hands worrying about the Apple Watch & cash flow instead of fixing their productS that is exposing their customers secured information.
 
bawbac said:
Except ... instead of fixing their productS that is exposing their customers secured information.
Click to expand...

Except: It's not exposing their customer's secured information. Under *extremely* specific circumstances it *might* expose *future* logins. But *none* of your past ones.

And what are those specific circumstances in which it can expose *future* logins?
1. You have never logged in to that website using Keychain Access before.
2. The malicious app must already know your exact username/email for the website.

Those are extremely unlikely requirements, if I ever saw them.

I wouldn't even bet on them "fixing" it even now, since it's not broken. The laughable "exploit" uses the "mutual secret sharing" feature of Keychain Access, which allows multiple apps to access a mutually shared password. The malicious app must be the first app that inserts the password entry in Keychain Access, since it can't modify/read any pre-existing entries. Therefore, this is working as intended and there's no need for Apple to change *anything*. If they change things, it will be because of the media frenzy (as usual, blowing things out of proportion).

Post #102 - why the "keychain access problem" is not a problem at all, and why XARA (cross-app resource access) doesn't matter and doesn't compromise the security of 1Password, nor the system at large.

Post #112 - summary of the 1Password thread and why it has nothing to do with Keychain Access, and why the "1Password Mini impersonation" issue is bogus too.
 
Last edited:
  • Like
Reactions: MacSimpson
This "vulnerability" requires the user to install malicious software on their computer before it can do anything at all. People have been "sideloading" software onto their computers for years -- long before app sandboxing was even a thing -- and those apps, if malicious, could have tried to do bad things. Just be careful what you install on your computer, and you'll be fine.
 
  • Like
Reactions: Benjamin Frost, MacSimpson, doboy and 1 other person
@adhir: Great post. Shoddy reporters with clickbait titles are acting as if the sky is falling, as usual.

If we were to take all of MacRumors' sensationalist news titles at face value, Apple would no longer exist as a company. Anytime I go here to read some news, I have to scroll through fifty "OH MY GOD!" titles, and if you read any of them it's pretty much *never* an actual issue. It's tiring... but hey, it drives clicks and ad revenue...

It's easy to forget that these are web "news" agencies and that most people who write for the web are not actual reporters and don't have the same ethical standards as something like the New York Times. All that counts on the web is whether or not people share/click your links and therefore see your ads... So it leads to this situation.

What happens: Tim Cook farts.
What the web "news" outlets write: "Tim Cook has potential life-threatening gas -- to be hospitalized?!"

;)
 
  • Like
Reactions: MacSimpson
adhir said:
This "vulnerability" requires the user to install malicious software on their computer before it can do anything at all. People have been "sideloading" software onto their computers for years -- long before app sandboxing was even a thing -- and those apps, if malicious, could have tried to do bad things. Just be careful what you install on your computer, and you'll be fine.
Click to expand...

Yes, but the key point here is that this attack can be mounted by apps that pass Apple's current vetting process for the app store. An unsuspecting user could download an app from the app store believing that Apple has made good on its promises that no badness will ever come from apps in it's store. Suddenly BAZINGA, there's a listener sitting on the IPC between the user's browser and 1Password Mini that's sending everything that's passed between the two back home to papa. If this was only coming from unvetted software, your comment is correct. However, this attack can (at present) be mounted via "safe" apps from the Apple Store.
 
  • Like
Reactions: Benjamin Frost and displayblock
I don't see a real problem.

As long as there is a user action needed these flaws are no security threats. Common sense and/or IT knowledge can prevent any damage.

There should be a fix in the future, but the media headlines don't fit to the issue.
 
  • Like
Reactions: Temptin
bawbac said:
Apple is sitting on their hands worrying about the Apple Watch & cash flow instead of fixing their productS that is exposing their customers secured information.
Click to expand...
Ok Mr. Psychic, what number am I thinking of right now?
 
jasnw said:
Yes, but the key point here is that this attack can be mounted by apps that pass Apple's current vetting process for the app store. An unsuspecting user could download an app from the app store believing that Apple has made good on its promises that no badness will ever come from apps in it's store. Suddenly BAZINGA, there's a listener sitting on the IPC between the user's browser and 1Password Mini that's sending everything that's passed between the two back home to papa. If this was only coming from unvetted software, your comment is correct. However, this attack can (at present) be mounted via "safe" apps from the Apple Store.
Click to expand...
Yes, there is a false sense of security with the App store or any other app store for that matter. It's always up to the users to take the precautions. Sad, but true.
 
Temptin said:
Except: It's not exposing their customer's secured information. Under *extremely* specific circumstances it *might* expose *future* logins. But *none* of your past ones.

And what are those specific circumstances in which it can expose *future* logins?
1. You have never logged in to that website using Keychain Access before.
2. The malicious app must already know your exact username/email for the website.

Those are extremely unlikely requirements, if I ever saw them.
Click to expand...

If you read the actual paper written by the researchers you will learn that a) while the keychain system protects the actual secrets (i.e. passwords) the metadata (login name) is readable by all apps, and b) a key part of the vulnerability is that OS X does NOT prevent an untrusted app from deleting a keychain item, even when that untrusted app doesn't have read access to the secret. This is what allows the malicious app to delete the keychain item it can't read, and substitute it with a newly created keychain item that it can read (because it sets the access control to itself, and the app that created the original).

Admittedly, it appears that the attentive user might notice "Hey, Safari used to remember this password, but this time it didn't." An inattentive user will just reset the password via the web site, and then type it in, at which point it will get harvested by the malicious app.
 
  • Like
Reactions: Demo Kit and Benjamin Frost
flaubert said:
a key part of the vulnerability is that OS X does NOT prevent an untrusted app from deleting a keychain item. This is what allows the malicious app to delete the keychain item it can't read, and substitute it with a newly created keychain item that it can read (because it sets the access control to itself, and the app that created the original).
Click to expand...

That's the *only* thing that's an actual vulnerability and needs to change here:
Apps should not be able to delete items they aren't full-access members for. Heck, they definitely shouldn't be able to read the username either since there are very few legitimate reasons to allow that (the only one I know about is apps reading the Keychain to find your iCloud password, and offering you to sign in using the username and a blank password; but that's a dubious use anyway).

They might also want to set it up so that apps can only add *themselves* as an access-member. But that's just a minor issue and it would greatly inconvenience all apps that use separate helper-apps that need access.

By the way, the iOS Keychain is not vulnerable. iOS apps can only share items with apps from the same developer, and cannot delete the Keychain items from any other apps, and can only read their own Keychain items.
 
Last edited:
  • Like
Reactions: MacSimpson
As disconcerting as this whole issue is, there's one important thing missing - independent corroboration that the attack vectors the authors describe will indeed work in the way the authors have said in their paper. It's beyond my skill-set or I'd be working on it right now. All we, the Great Unwashed Masses, have at this time is this one paper. In googling this issue, all links point back to this paper with no added information. One link headlines that Apple acknowledged the problem, but what really happened is that the authors told whomever posted the article that Apple had told them, the authors, that this was a serious issue. Again, we have nothing but the authors of this paper telling us that this is a real threat that works as advertise.

Only option at this point is assume that this is a valid attack vector and make sure you minimize your potential vulnerability to it.
 
I'm not sure why the researchers decided to tag on iOS as there really doesn't seem to be any new researcher presented. The scheme hijacking issue is already known and the paper clearly states that the keychain issues don't affect iOS.

As for the OSX vulns... classic client side attacks, albeit nasty ones.
 
jasnw said:
Yes, but the key point here is that this attack can be mounted by apps that pass Apple's current vetting process for the app store. An unsuspecting user could download an app from the app store believing that Apple has made good on its promises that no badness will ever come from apps in it's store. Suddenly BAZINGA, there's a listener sitting on the IPC between the user's browser and 1Password Mini that's sending everything that's passed between the two back home to papa. If this was only coming from unvetted software, your comment is correct. However, this attack can (at present) be mounted via "safe" apps from the Apple Store.
Click to expand...

One did pass the vetting process 6 months ago, we don't know if one would or wouldn't now.
 
bawbac said:
Except for the fact that the issue & reasonable cause has been found for sometime now.
Apple is sitting on their hands worrying about the Apple Watch & cash flow instead of fixing their productS that is exposing their customers secured information.
Click to expand...

You do not know what Apple did so far or what they are doing.
You do not know whether they are worrying about the Apple watch & cash flow instead of fixing what needs fixing.
You do not know what it takes to fix it and if it is even possible.
You do not know how long it took, will take or if it can be fixed.

In summary you just do not know anything more than what you read.

No need to panic or trying to place blame onto Apple any department of theirs and and, just acknowledge that it is and will be a continuing problem for all companies involved in software.
 
  • Like
Reactions: doboy and Temptin
Temptin said:
Except: It's not exposing their customer's secured information. Under *extremely* specific circumstances it *might* expose *future* logins. But *none* of your past ones.

And what are those specific circumstances in which it can expose *future* logins?
1. You have never logged in to that website using Keychain Access before.
2. The malicious app must already know your exact username/email for the website.

Those are extremely unlikely requirements, if I ever saw them.

I wouldn't even bet on them "fixing" it even now, since it's not broken. The laughable "exploit" uses the "mutual secret sharing" feature of Keychain Access, which allows multiple apps to access a mutually shared password. The malicious app must be the first app that inserts the password entry in Keychain Access, since it can't modify/read any pre-existing entries. Therefore, this is working as intended and there's no need for Apple to change *anything*. If they change things, it will be because of the media frenzy (as usual, blowing things out of proportion).

Post #102 - why the "keychain access problem" is not a problem at all, and why XARA (cross-app resource access) doesn't matter and doesn't compromise the security of 1Password, nor the system at large.

Post #112 - summary of the 1Password thread and why it has nothing to do with Keychain Access, and why the "1Password Mini impersonation" issue is bogus too.
Click to expand...


Don't try to be logical here:) I get the concept of how it can happen, but there are too many users who do not think and click on any notification just to make it go away. (Again all platforms)
Nobody can create safe computing for those kind of people.

This will not be the last exploit or proof of concept we see. It's just sexy to take Apple for max exposure.
By not answering and then going public nothing is being solved. If I was Apple I wouldn't answer either.
Nobody needs to know what I am doing.
Apple are not dumb hicks. If this is serious it will be fixed.

I wish all that password stuff would be replaced by Emoji and face recognition etc. Somebody is already working on it. First time I can see a use for Emoji. and, maybe make them moveable.

Or, upon every password sending maybe a program sends some false info first and gets feedback somehow if it gets intercepted or something unusual happens.

But then again people click on everything. Oh well.

At least the hackers would have something to play with.
 
  • Like
Reactions: Temptin
Temptin said:
Except: It's not exposing their customer's secured information. Under *extremely* specific circumstances it *might* expose *future* logins. But *none* of your past ones.

And what are those specific circumstances in which it can expose *future* logins?
1. You have never logged in to that website using Keychain Access before.
2. The malicious app must already know your exact username/email for the website.

Those are extremely unlikely requirements, if I ever saw them.

I wouldn't even bet on them "fixing" it even now, since it's not broken. The laughable "exploit" uses the "mutual secret sharing" feature of Keychain Access, which allows multiple apps to access a mutually shared password. The malicious app must be the first app that inserts the password entry in Keychain Access, since it can't modify/read any pre-existing entries. Therefore, this is working as intended and there's no need for Apple to change *anything*. If they change things, it will be because of the media frenzy (as usual, blowing things out of proportion).

Post #102 - why the "keychain access problem" is not a problem at all, and why XARA (cross-app resource access) doesn't matter and doesn't compromise the security of 1Password, nor the system at large.

Post #112 - summary of the 1Password thread and why it has nothing to do with Keychain Access, and why the "1Password Mini impersonation" issue is bogus too.
Click to expand...
Excuses...yeah, that will fix it...
 
  • Like
Reactions: Demo Kit
that is ****ed up. Apple needs to change their attitude to these things because if you can't trust them anymore that they fix these important holes, we shouldn't buy there stuff anymore. Maybe that will get their attention. BTW I love Apple stuff.
 
Temptin said:
That's the *only* thing that's an actual vulnerability and needs to change here:
Apps should not be able to delete items they aren't full-access members for. Heck, they definitely shouldn't be able to read the username either since there are very few legitimate reasons to allow that (the only one I know about is apps reading the Keychain to find your iCloud password, and offering you to sign in using the username and a blank password; but that's a dubious use anyway).

They might also want to set it up so that apps can only add *themselves* as an access-member. But that's just a minor issue and it would greatly inconvenience all apps that use separate helper-apps that need access.

By the way, the iOS Keychain is not vulnerable. iOS apps can only share items with apps from the same developer, and cannot delete the Keychain items from any other apps, and can only read their own Keychain items.
Click to expand...

I'm not sure yet that I would agree that the ability for untrusted apps to delete arbitrary keychain items is the *only* vulnerability, but I will say that it is disappointing, nay, appalling that it appears to be taking Apple more than six months to accomplish what is a very simple, commonsense fix that would block this very serious vulnerability. They've had three updates to the OS since this was disclosed.
 
  • Like
Reactions: Temptin
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back