white hat hacker 2

Your confidential information ranging from web passwords in Chrome and other browsers to app passwords to banking credentials stored and synced between devices though Apple’s iCloud Keychain service—even data you thought was stored safely in password managers like 1Password and LastPass—can be easily compromised due to a trio of major vulnerabilities discovered in Apple’s desktop and mobile operating systems.

As discovered by a team of researchers at Indiana University, Georgia Tech and China’s Peking University and reported by The Register, Keychain’s access control lists, URL schemes and OS X’s app containers contain flaws creating serious attack vectors.

These zero-day flaws let malicious apps access, change and delete entries in a user’s Keychain, a central repository in both OS X and iOS for saving encrypted passwords and other private data.

“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps,” the team said.

Making matter worse, fixing these flaws is anything but trivial and would require significant architectural changes to the way OS X and iOS interact with apps.

Here’s a video showing the Keychain vulnerability being exploited in Google Chrome browser on OS X. They were able to raid banking credentials from Chrome on the latest Mac OS X 10.10.3 Yosemite, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults.

Google will be removing Keychain integration for Chrome until a fix is delivered because they couldn’t address these flaws at the application level.

Not only can these catastrophic weakness let a malicious app break into your Keychain, but also bypass the App Store security checks and break app sandboxes.

As a result, attackers can steal passwords from any installed app.

Another worrying proof-of-concept video shows a malicious Mac app stealing a user’s iCloud access tokens stored in the Keychain, potentially opening door to a major identity theft as more and more of our digital lives is stored in iCloud.

As you can see, the malicious app was able to steal the secret iCloud token used to sign in to iCloud through System Preferences.

Lastly, this clip shows a vulnerability allowing a malicious helper app access data in legitimate apps by using the same Bundle ID. Signed apps distributed through the Mac App Store have unique Bundle IDs, but the requirement doesn’t extend to helper apps.

So, for example, one could create a rogue helper app using the same Bundle ID as AgileBits’ 1Password to access that app’s container and steal all of user’s private information saved in 1Password.

AgileBits said it could not find a way to ward off the attacks.

“Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense,” the researchers wrote in the paper.

The wide ranging security study was published in the form of a thirteen-page research paper titled “Unauthorized Cross-App Resource Access on Mac OS X and iOS”.

An excerpt from the study offers rather grim assessment of the situation:

Our study brings to light a series of unexpected, security-critical was that can be exploited to circumvent Apple’s isolation protection and its App Store’s security vetting. The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed.

Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms. Most importantly, the new understanding about the fundamental cause of the problem is invaluable to the development of better app isolation protection for future OSes.

The researchers reported their discovers to Apple back in October 2014.

Given the gravity of the attacks, the company asked for a six month extension and in February requested an advanced copy of the research paper before it was made public.

Apple has yet to deliver a fix via iOS and OS X software updates so for the time being users are advised not to install apps from unknown sources, and be especially cognizant of any suspicious password prompts.

Source: The Register

  • Matheus Lisboa

    So the thing is the same as always? just don’t install things from unknown sources?

    • Hi

      LOL, that what i thought.

    • This Guy

      Quoted from MacRumors article-

      A team of six researchers from Indiana University, Georgia Tech and Peking University have published an in-depth report exposing a series of security vulnerabilities that enable sandboxed malicious apps, approved on the App Store, to gain unauthorized access to sensitive data stored in other apps, including iCloud passwords and authentication tokens, Google Chrome saved web passwords and more.

      So no, apparently, this doesn’t just apply to those types of apps. This can be exploited through apps approved by Apple.

      • So Apple is approving malicious apps? Are there any cases that indicate this or is it just that this could happen theoretically?

      • This Guy

        Well, I don’t think any of the apps are ‘malicious’ per se, just that it is POSSIBLE to exploit using some apps. I’m under the impression that the team just happened to find out the possibilities. If there were actually apps DOING this, then you’d likely be reading a much differently written article.

  • Is iOS 9 and OS X El Capitan vulnerable?

    • Hussain Alsanona

      That what I’m asking myself

      • Having briefly skimmed the paper I’d assume the answer is “Yes”, they are vulnerable. The problems listed don’t seem like they have a quick fix and the paper seems to suggest as much. Luckily for us though Android and Windows have a much higher market share than iOS and OS X. I don’t think people need to be worried unless they know they have a malicious application on their system.

  • MrE23

    People making light of this are Apple-blinded idiots. This is a very big deal. I’m completely bought-in with Apple, and I hope they use these findings to do whatever it takes to secure their OSs ASAP- this should be their absolute highest and most well-funded priority. Meantime, my faith in the security of their platforms has taken a huge nosedive.

  • Eikast

    Well this has me worried. Not the idea of me getting infected (I don’t pirate software and I do not download shady software), but the idea that this is possible on OS X. Not sure if I should disable 1password now.

    • jzack

      for some reasons, maybe you should

    • JWSnavely

      No, running 1Password still protects you from key-loggers and malware that analyses clip board data. Furthermore, this exploit has to start running before 1Password mini does to actually intercept data (it can’t actually steal it) or it won’t work. So setting 1Password mini to always run (in preferences) will help protect you against another malicious app trying to claim that it is the real password extension.

  • Bugs Bunnay

    Any person whos gonna save you arent safe themselves!

  • Mr_Coldharbour

    This is precisely why I do not use any Cloud Keychain or any WiFi syncing features, iCloud syncing of passwords or anything iCloud/Cloud-based services. I do manual, on-site, on-HDD, devices to Mac, Mac to external HDD backups and if I do restore data, it’s done the same way, the way it’s been done before the introduction of cloud-based tech. I do not perform any syncing through WiFi across devices or anything like that because (a) not as secure as on-site backups/restores, and (b) more of a hassle than a convenience. I do not envy users who use cloud or iCloud or Keychain syncing, this method has worked for me, it is convenient and I’ve gotten used to it. Yes I do use 1Password but no iCloud/Cloud Keychain syncing across devices/computers, so my data never touches the cloud or leaves my device unless it’s done through lightning cable straight to my Mac which doesn’t touch the cloud either. If I do need to backup/restore such data I just do manual backups through iTunes and save it in a folder somewhere on my Mac and if a restore is needed I just do it via iTunes and then the in-app step of restoring data. I don’t pirate or download any sketchy software either so I should be fine. I don’t trust cloud-based services one single bit and no matter what or how sophisticated the technology might become, it’s never going to be as safe as when you have the information available nowhere else but on-site, in your very own hands and no one else’s, and in your very own control. End of Story.

  • salsal

    Does this mean that if you are not using icloud as a backup service, and icloud keychain you are pretty much safe? I use 1password but sync my backups to dropbox.

    • Bugs Bunnay

      I’d like a little more clarification too. Turn off key chain = problem solved?

  • Bugs Bunnay

    I want to see an ios version of this.