Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

Don't worry ...iOS will be next....

So much for all that hype several years ago that Apple are secure huh ? It bought them nothing today...

Obviously, this would need physical access yes ? if so, then not as bad as we think.

Apple still relies on automated approval. ? I'm shocked..
 
Last edited by a moderator:
These people should be very, very careful. If you publish an app on the app store, there's a contract that you have signed. If I was in Apple's position, I'd hand the contract and the app over to my lawyers and come down on them like a brick.

That's a huge difference between the app store and any random place for software: The developer is known to Apple, which means legal action can be taken, and there are contracts in place, which again means legal action can be taken.
 
sundragon said:
Dude, don't forget your tinfoil hat... Why do people scream the sky is falling every time an article like this is posted? There are no known app that uses this yet. Worry then... LOL
Click to expand...

I watched the video, and saw this. Did you?

APPLE security flaw (1).jpg
 
  • Like
Reactions: Demo Kit and Alenore
horsebattery said:
The attack can be carried out from malicious apps. This implies that so long as you have that malicious app installed AND the vulnerability exists, then changing your passwords won't help - if they are stored on the device. The other implication is that app data is also exposed, which means that offline (on-device) store is also at risk.

Therefore the better suggestion is - be careful of what you install onto your devices.
Click to expand...

I agree that people must be vigilant when installing software on their computers, but keep in mind that...

The apps come from the app store, they are BIG name software developers, and Apple has built the ecosystem to keeps things secure (isn't that one reason the app store requires sandboxing) THE USER IS NOT AL FAULT HERE.

The app store has been designed, in addition to other reasons, to give a "sense of security" to end users.

Apple is at fault. It's their OS, they are responsible for securing it, and they failed.
 
Last edited:
  • Like
Reactions: Demo Kit, SteveW928 and Benjamin Frost
Temptin said:
* Lastly: 1Password does not use Keychain Access. At all. Use that password manager instead. It's also far more portable, working on Windows and iOS as well, and has Dropbox sync. And of course it lets you store all kinds of other useful, secret data, like Software Licenses.
Click to expand...

It seems that they are affected if certain conditions are met. I also see that a user with your user name has posted on the page linked below. Is that you?


AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks nor make the malware "work harder" some four months after it was warned of the vulnerabilities. ("Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem," said AgileBits's Jeffrey Goldberg in a blog post today.)
 
Temptin said:
@chrfr Please read what you link to before linking it.

I'll leave it to you and other people to figure out why the page you linked to has nothing to do with the OS X keychain vulnerability. Hint about how to solve that quest: Read the page you linked to.

Quest rewards, should you complete this quest:

100 XP
10 Copper
1x [Welcome to the Internet Instructional Booklet]

Bonus objective: Read the other replies by AgileBits staff, to see why your 1Password data is safe no matter what.

Bonus rewards: 200 XP, 1x ["I Can Read Long Words!" Award]
Click to expand...

The way I read it was that: If the timing is right, then information that is passed to the browser (password for the site) can be read by the malware. Did I interpret the information that was posted incorrectly?
 
jwdsail said:
So,

Just so I can make sure I'm getting the gist of this:

A user must instal a malicious app, a trojan, which will likely require them to change the default system preference to allow an unsigned app to be installed. This will require them to go to System Preferences and change the security settings, requiring an Admin username and password.
Click to expand...

There is at least one confirmed app that was approved by Apple for inclusion in the Apple Store. No approving an unsigned app is necessary...
 
Temptin said:
@thisisnotmyname I already covered that (proxying) too: If a malicious program uses port 6263, you would be UNABLE to log into existing sites. The extension would be talking to the fake "1Password mini impersonator" and the impersonator would not have any of your passwords, since it's not the real vault, which in turn means that your extension would be unable to retrieve the passwords of any websites. The real vault would still be locked. THAT is why the paper says "If you log into a NEW site, and tell the extension to SAVE the NEW password, we can intercept it"; because the "save this new password!" request would be sent to the fake 1Password Mini. But it won't affect any of your EXISTING data. As I pointed out in Post #112, they already designed 1Password with this exact kind of possible impersonation in mind, and your actual vault data is still safe. And you would *quickly* notice that your 1Password extension isn't able to log into any of your pre-existing sites anymore since it's talking to a fake (empty) impersonation vault.

The only way to actually steal *saved* logins is if they either impersonate the whole GUI (not gonna happen, see post #133), or if they created a proxy that sat between the browser extension and 1Password mini and read all the back/forth communication -- But such a proxy is impossible to create, since you can't bind multiple apps to the same TCP port, so it's impossible to "sit between" the two apps. That's why this "exploit" has to start *before* the real 1Password Mini, so that it can be the first to bind the port, since you can't have two apps on one TCP port.

The only thing they could conceivably do is install a packet capture driver (that's a root-level command and would require root access and a restart); which basically means a kernel extension that sits at the TCP/IP stack and observes all network traffic. Such a kernel extension would need to be signed by Apple for it to be loaded by the OS, and they're not going to give out a kernel extension certificate for that. ;)
Click to expand...

What if one uses 1Password without 1Password Mini running? Are new entries, created manually, or the 1Password database vulnerable? What about entering the master password without 1Password Mini running?
 
rodavilla said:
The people who made is info public is aiding and abetting criminals. They should be charged, tried, and punished. This is the same as if someone checks out your house, finds ways to break in, then makes that info available to people wanting to break in your house and steal. I don't care if they told Apple 100 yrs ago. It is aiding and abetting criminals.
Click to expand...
If Apple actually did communicate with the researchers about what they were going to do in a timely manner, I'm pretty sure they wouldn't have disclosed this information.
Think that if they found it, some other people already knows about it. Which means some people could be using that, right now, to steal password.

What would be better, letting Apple to decide to fix it "one day" and in the meantime having people get their passwords stolen, or exposing the threat so they HAVE to fix it or get a blow to their "OS X is secure" image ?

One could even say not fixing the problem after 6 months to the detriment of their customers is criminal as well.
And yes, 6 months is plenty of time. If their dev can't fix that in that time, they should most likely find new ones or change their workflow.
 
larrysalibra said:
Exactly! It's a security problem that results from 1Password's design decision, not an Apple security problem. 1Password is using a client-server design where both the client AND the server are running on the customer's machine and as a result, the client has no way to be 100% sure its talking to the real server.

The solution to 1Password's problem is to design your password service like Lastpass where your Safari extension talks to a server under the service provider's control. Your extension can be sure it's talking to the real server by verifying an SSL certificate or other public key cryptographic method that can't be reverse engineered. 1Password doesn't do this because their business model is selling downloadable software not selling a cloud-based subscription service like Lastpass.

There are pros and cons of apps instead of cloud password managers. One pro is that password information can (potentially) never leave the user's computer. A big con is that if your app consists of two separate pieces of software (like 1password's Safari extension + 1password mini), they can't mutually authenticate each other in a way that can't be reverse engineered.
Click to expand...

This is why I never use the 1Password Mini or the browser extensions. Unfortunately, based on one of the posts I read on the Agile Bits site, it seems that I am at more of a risk than if I did use 1Password Mini. Honestly, this confuses me. I would appreciate your input, if you have the time.
 
Hi all,

Keep in mind that my conclusions will be speculative.
A bit more than 1 week ago, my 2 credit cards were hacked. At the same time.
Basically I received an email from American Express asking me to call their service center to check some operations with me. Operations which I didn't do as I was at home.
At the same time (while I was calling them, litterally) I received 3 texts messages from my bank informing me of 3 transactions in South Korea where I have never been, on my Visa card.
I had to cancel both my credit card.

So since then I didn't really understand what happened. I tried to think and, although at first I thought that the only way where both my credit card were saved was Amazon, it turned out my Amex card wasn't.
So, the only place I could think of is 1password.
And let's be clear: yes, I use a strong password, made of uppercase and lower letters and numbers, and it doesn't mean anything (no words etc...)
I checked my mac for viruses and stuff but couldn't find anything, and I am quite careful about what I install. Plus it's a mac I recently had.
The only other possibility would be in a hotel where I would have let my wallet, but as I never went to South Korea, and I nearly never let my wallet, and for sure never do when there is no "do not disturb" card.

So, I am not saying it WAS from 1password. But, now that I see that, I think it might be an option.
For the moment I changed my 1password master pwd and removed all credit card numbers from the application.
I am wondering if there is any way to know where my credit card numbers were stolen...
 
  • Like
Reactions: Benjamin Frost
gnasher729 said:
These people should be very, very careful. If you publish an app on the app store, there's a contract that you have signed. If I was in Apple's position, I'd hand the contract and the app over to my lawyers and come down on them like a brick.

That's a huge difference between the app store and any random place for software: The developer is known to Apple, which means legal action can be taken, and there are contracts in place, which again means legal action can be taken.
Click to expand...

Yah that's really obvious by the way they crack down on all those known Chinese developers.

If you think there aren't spoofed developers or those unknown to apple in their store you're living a fantasy.

This whole thing is really unacceptable
 
Now all this talk of apps has me worried about a few apps I downloaded from the Apple Store. Two of them I just deleted as I don't really use them anymore, but they could have left nefarious remnants behind, correct?

Also, is anyone familiar with Photo Sweeper? http://overmacs.com/?p=photosweeper
I downloaded it from the Apple Store, but now I'm concerned. I did some checking before I bought it, and it has worked fine, but who know what it is doing behind the scenes? How can I check to see if this is a "bad" application?
All comments welcome. PM me if you don't want to post publicly.

Thanks!
 
rodavilla said:
The people who made is info public is aiding and abetting criminals. They should be charged, tried, and punished. This is the same as if someone checks out your house, finds ways to break in, then makes that info available to people wanting to break in your house and steal. I don't care if they told Apple 100 yrs ago. It is aiding and abetting criminals.
Click to expand...

No this stuff has to be public no matter the OS or company. I do think the staggered release like heart bleed and open SSL but it still be has to be public. These researchers aren't special if they found others have too knowledge of the flaw is the only way a normal person can protect themselves. This stuff needs to be on the nightly news not in the back room.
 
Two of these aren't really security exploits, but rather poor application design:

IPC spoofing is only a problem if an application assumes that an IPC target is trustworthy without performing any verification; it's bad practice to assume that a port will be used only by the application you expect to be on the other end, and you should use security certificates or other forms of verification to establish identity first. A port is just a simple means of finding a service, not of securing it. If 1Password can't report a spoofed port as in use, or try to find its service on other ports, then that's bad design, not a flaw in the OS.

Likewise URI schemes; scheme names are not guaranteed to be unique, and so you should never send sensitive data via a custom URI until you've verified the identity of the target.


I'd argue that the keychain exploit is still an application fault as well; keychain entries again aren't unique (any application can create an entry with any name, type etc.) so you shouldn't assume that if an entry exists that it was created by your application.


The issue with containers is one that should be fixed however, as it's not something that applications are really supposed to have to inspect or verify, so OS X should definitely do more to verify an existing container before using it.
 
Thunderhawks said:
You illustrate exactly my point by stating that it is a FACT that Apple did NOTHING.

Let's get upset about a totally unproven and unfounded statement you throw out.
Same for another poster claiming Apple is sitting on their butts.

You can prove that Apple has done nothing in terms of fixing issues for several years?

They just issue system updates for fun or because they are bored?

Do you really think ANY company welcomes problems within its software and just shrugs shoulders when they learn ether is an issue?

Without analyzing things they won't even know where to start.

I wish you would work in the Apple department responsible for security in software development.
Your posts would probably be quite different.
Click to expand...
Wow, you are bring down the IQ of this website quickly...

THERE IS AN ISSUE!
FACT!

You are now trying to lighten the issue by ASSUMING Apple MIGHT have already done something... BUT THE ISSUE STILL EXISTS!

How hard is that to follow without trying to spin that there IS an ISSUE/FLAW.
 
  • Like
Reactions: Demo Kit and MacCallister
h00ligan said:
They also gave apple SIX months to fix it.

They've done nothing wrong at all.
Click to expand...
Maybe nothing legally wrong, but it's still F'd up for all users affected so they can get their names out as "geniuses" who discover the flaw.
 
Last edited:
7thson said:
They were pointing out the typo in "paper research paper". Thirteen pages tells me that there is some data to back up the researchers assertions. As a humble brag, it was pretty humble.
Click to expand...

The amount of pages is relative. I can explain how a nuclear power plant works in a paragraph or 100 page document. In the end, you are left with how a power plant works.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back