iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

[Temptin]

@Thunderhawks: Yep. The only thing that needs fixing by Apple is to no longer allow unauthorized apps to delete Keychain items.

You're right that people click on everything. I never provide friends or family with computer support. You wanna click on a cracked program you got from a dubious torrent? I'll let you have that virus until you learn from your mistakes.

@flaubert: That's the only real vulnerability. The rest is no big deal and is working as intended. But yes I agree that it's pathetic it has been 6 months without a fix for the "unprivileged apps can delete Keychain items" issue. It'd probably take them 5 minutes to add an "if the app has access rights: delete the item, otherwise deny" check to that API. Give them another month to test the system to make sure the change doesn't break any official apps or big 3rd party apps, and then ship it.

 

[bawbac]

You do not know what Apple did so far or what they are doing.
You do not know whether they are worrying about the Apple watch & cash flow instead of fixing what needs fixing.
You do not know what it takes to fix it and if it is even possible.
You do not know how long it took, will take or if it can be fixed.

In summary you just do not know anything more than what you read.

No need to panic or trying to place blame onto Apple any department of theirs and and, just acknowledge that it is and will be a continuing problem for all companies involved in software.

What you wrote did not deflect the fact that Apple has did NOTHING!
If they did, this thread or this Apple bug exposure would not be here.

Please don't try to sugar coat Apples lack of fixing issues the last several years.

 

[bawbac]

By not answering and then going public nothing is being solved. If I was Apple I wouldn't answer either.
Nobody needs to know what I am doing.
Apple are not dumb hicks. If this is serious it will be fixed.

Almost every ONE of your posts are EXCUSES you create for Apple on not doing the right thing and fixing issues.

How about we start asking Apple to FIX THEIR ISSUES that have lingered for several months or longer.

*We will await your reply of more excuses.

 

[Temptin]

@bawbac: Pfft. Don't you know that Apple programmers are cool people and have social lives, unlike normal "Ganoo/Loonix" programmers. They simply spent most of the last 6 months partying and shagging. Don't hate on their fun.

Actually, there are lots of valid reasons why it can take this long. Maybe there's a werewolf in the Apple office and everybody keeps finding hair stuck in their keyboards, so they can't type any code anymore... Like I said, lots of valid reasons...

 

[Temptin]

As for the semi-related 1Password issue, they've just written a new blog post, restating what I was saying earlier about how a "1Password Mini impersonation" doesn't actually compromise any existing 1Password data, since 1Password was designed from the ground up to deal with the possibility of impersonation:

Hi folks,

We wrote up a blog post on this one since we wanted to let everyone know exactly what was going on. You can read it here.

I hope that helps clear anything up regarding 1Password. Thanks!

 

[doboy]

that is ****ed up. Apple needs to change their attitude to these things because if you can't trust them anymore that they fix these important holes, we shouldn't buy there stuff anymore. Maybe that will get their attention. BTW I love Apple stuff.

There is no indication that Apple is not trying to fix it. In fact, paper mentioned that Apple tried using 9-digit random number as accountName for the iCloud keychain, which didn't help when researcher found a new problem where they can delete and re-create the fake keychain.

 

[jasnw]

For those of you who use 1Password, here's a more detailed take on the issue from a 1Password security wonk:

<https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/>

 

[megsobrien]

"The thirteen-page research paper "Unauthorized Cross-App Resource Access on Mac OS X and iOS" details that inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits."

Hi, I'm Megan and I work for AgileBits, the makers of 1Password.

For our security expert's thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we'd love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.

 

[Alenore]

Isn't it funny how some people would say "It's not a security flaw, because users have to install an app or with some common sense/IT knowledge they could avoid it" ?

Last time I checked, most bugs/flaws on Android/Windows also requires user inputs of some kind, but then, it's why Microsoft sucks, why Android cannot be trusted, and why these people use Apple products, because they're safe from those problems...

But then, I guess it's not really Apple's fault, damn security researcher who publish their work when Apple doesn't move their butts

 

[Thunderhawks]

Almost every ONE of your posts are EXCUSES you create for Apple on not doing the right thing and fixing issues.

How about we start asking Apple to FIX THEIR ISSUES that have lingered for several months or longer.

*We will await your reply of more excuses.

I do not work for Apple and they do not need me to make excuses for them.
They have a way of doing business which is very private and secretive for a variety of reasons.

While I like a lot of their products I am objective and critical enough to see when people just make up facts and then get upset about their made up stuff - assuming- things .

As they say as a joke: if one splits the word assume it makes an a$$ out Of u And me.

Fact is that no platform is safe from vulnerabilities and another fact is that people do not know whether Apple is doing anything about this latest blown out of proportion issue or not.

Most are not even knowledgeable enough to know what goes into coding for this, whether it's possible or how easy or difficult that all is.

And, people includes YOU.

Please admit that you have no idea what or if Apple is fixing anything related to this and if you ever had knowledge about when , if and how Microsoft, Android etc. were fixing bugs or vulnerabilities TELLING consumers what they were doing.

And, since you are so adamant about timing, let us know how long it took each company from knowledge to fixing of a certain bug. It will not be communicated. We usually always see a generic statement updates for "stability and other improvements".

All we can do is hope that all companies are permanently watching that particular field and do whatever is necessary to keep damages to consumers to a minimum.

 

[jon9091]

OK...so they haven't fixed a security flaw that they've known about for at least 6 months.
Helloooooo, they've been busy with the Apple Watch.

 

[Thunderhawks]

What you wrote did not deflect the fact that Apple has did NOTHING!
If they did, this thread or this Apple bug exposure would not be here.

Please don't try to sugar coat Apples lack of fixing issues the last several years.

You illustrate exactly my point by stating that it is a FACT that Apple did NOTHING.

Let's get upset about a totally unproven and unfounded statement you throw out.
Same for another poster claiming Apple is sitting on their butts.

You can prove that Apple has done nothing in terms of fixing issues for several years?

They just issue system updates for fun or because they are bored?

Do you really think ANY company welcomes problems within its software and just shrugs shoulders when they learn ether is an issue?

Without analyzing things they won't even know where to start.

I wish you would work in the Apple department responsible for security in software development.
Your posts would probably be quite different.

 

[Thunderhawks]

OK...so they haven't fixed a security flaw that they've known about for at least 6 months.
Helloooooo, they've been busy with the Apple Watch.

Hellloooo, there is not only one person working at Apple.
Again you don't know whether they have fixed it or not or what even their standpoint is.

I'll put that on permanent paste to insert it for everybody who claims to know. YOU DON'T!

 

[SlCKB0Y]

Doesn't Chrome have it's own password sync tool? Why would they use keychain?

Because it is already built into the OS?

 

[SlCKB0Y]

That's the *only* thing that's an actual vulnerability and needs to change here:
Apps should not be able to delete items they aren't full-access members for.

Your post before this said nothing needed to be changed, then some guy points out that your assessment of this vulnerability is completely wrong and much more serious than you claim, and you changed your story?

 

[Temptin]

@Guyfromthat90smovieaboutdrugs: Yes. All of the other pieces of the puzzle are a complete non-issue. But the ability to delete keychain items that you don't have access to is ridiculous and should be fixed (it may have been an accident or incorrect ACL check in the delete API, since the ability to delete passwords owned by other applications doesn't make any sense at all).

 

[kemal]

Looks like Os X applications using the keychain will have to verify the ACLs in their entry before use.

 

[B4U]

Snow Leopard is getting none of the fixes again?

 

[wordup60]

There is no such thing as security from this sort of thing. For every programmer that writes a security program that is supposed to keep our information secure, there is a hacker out there that can decode/hack the program to steal what ever they want.

Apple could come out with a patch today to fix the current problem, but tomorrow someone else finds a way to hack it.

There is no such thing as security.

There is no such thing as health in life. For every pharmaceutical company that makes a drug that is supposed to heal an illness, there is a virus or bacterium out there that can go around the drug to create another illness.

Pfizer could come out with medication today to heal the current illness, but tomorrow some other germ finds a way to infect you.

There is no such thing as health.

 

[AlecZ]

I don't know how this is a security issue. The Keychain entry explicitly says "Allow access" for both apps.

The malicious app made the Keychain allow access for it, not the user, unless I missed something. That's where the security flaw is. This is horrible. Looks like the entire Keychain can be easily broken into!

 

[AlecZ]

Lead researcher Luyi Xing told The Register that he reported the security flaws to Apple in October 2014 and complied with the iPhone maker's request to withhold publishing the information for six months, but has not heard back from the company since and is now exposing the zero-day vulnerabilities to the public. The flaws affect thousands of OS X apps and hundreds of iOS apps and can now be weaponized by attackers.

So this is a massive failure on Apple's part. Who was in charge of dealing with this and just let it slip??!
...
Is Mac OS X Panther affected?

 

[rodavilla]

The people who made is info public is aiding and abetting criminals. They should be charged, tried, and punished. This is the same as if someone checks out your house, finds ways to break in, then makes that info available to people wanting to break in your house and steal. I don't care if they told Apple 100 yrs ago. It is aiding and abetting criminals.

 

[applelover4u]

that is ****ed up. Apple needs to change their attitude to these things because if you can't trust them anymore that they fix these important holes, we shouldn't buy there stuff anymore. Maybe that will get their attention. BTW I love Apple stuff.

Apple are worth Billions. Im sure they will not mind missing a few crybabies

 

[Gwendolini]

The people who made is info public is aiding and abetting criminals. They should be charged, tried, and punished. This is the same as if someone checks out your house, finds ways to break in, then makes that info available to people wanting to break in your house and steal. I don't care if they told Apple 100 yrs ago. It is aiding and abetting criminals.

Going with your analogy, the someone checking out your house has also told you the ways to break in, you then told that someone to wait six months before you tell others of those ways, and you then wait eight to nine months before you do so.
Now what did you do in that time?

 

[applelover4u]

The point is that one cannot put a time limit onto fixing system bugs or vulnerabilities.
First one needs to recreate it to confirm, then check why it does what it does and how it can be outsmarted.
Then it needs to be tested , so it doesn't screw up other things and then , and then...............

Like it was said a billion if you can fix it tomorrow.

Your right but Apple have billions of $$. They could put a special 20 man team on this and it fixed within days or weeks. I bet the eco and other top big wigs macs are patched