Major security flaws leave iOS and OS X vulnerable to wide ranging password theft

white hat hacker 2

Your confidential information ranging from web passwords in Chrome and other browsers to app passwords to banking credentials stored and synced between devices though Apple’s iCloud Keychain service—even data you thought was stored safely in password managers like 1Password and LastPass—can be easily compromised due to a trio of major vulnerabilities discovered in Apple’s desktop and mobile operating systems.

As discovered by a team of researchers at Indiana University, Georgia Tech and China’s Peking University and reported by The Register, Keychain’s access control lists, URL schemes and OS X’s app containers contain flaws creating serious attack vectors.

These zero-day flaws let malicious apps access, change and delete entries in a user’s Keychain, a central repository in both OS X and iOS for saving encrypted passwords and other private data.

“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps,” the team said.

Making matter worse, fixing these flaws is anything but trivial and would require significant architectural changes to the way OS X and iOS interact with apps.

Here’s a video showing the Keychain vulnerability being exploited in Google Chrome browser on OS X. They were able to raid banking credentials from Chrome on the latest Mac OS X 10.10.3 Yosemite, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults.

Google will be removing Keychain integration for Chrome until a fix is delivered because they couldn’t address these flaws at the application level.

Not only can these catastrophic weakness let a malicious app break into your Keychain, but also bypass the App Store security checks and break app sandboxes.

As a result, attackers can steal passwords from any installed app.

Another worrying proof-of-concept video shows a malicious Mac app stealing a user’s iCloud access tokens stored in the Keychain, potentially opening door to a major identity theft as more and more of our digital lives is stored in iCloud.

As you can see, the malicious app was able to steal the secret iCloud token used to sign in to iCloud through System Preferences.

Lastly, this clip shows a vulnerability allowing a malicious helper app access data in legitimate apps by using the same Bundle ID. Signed apps distributed through the Mac App Store have unique Bundle IDs, but the requirement doesn’t extend to helper apps.

So, for example, one could create a rogue helper app using the same Bundle ID as AgileBits’ 1Password to access that app’s container and steal all of user’s private information saved in 1Password.

AgileBits said it could not find a way to ward off the attacks.

“Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense,” the researchers wrote in the paper.

The wide ranging security study was published in the form of a thirteen-page research paper titled “Unauthorized Cross-App Resource Access on Mac OS X and iOS”.

An excerpt from the study offers rather grim assessment of the situation:

Our study brings to light a series of unexpected, security-critical was that can be exploited to circumvent Apple’s isolation protection and its App Store’s security vetting. The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed.

Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms. Most importantly, the new understanding about the fundamental cause of the problem is invaluable to the development of better app isolation protection for future OSes.

The researchers reported their discovers to Apple back in October 2014.

Given the gravity of the attacks, the company asked for a six month extension and in February requested an advanced copy of the research paper before it was made public.

Apple has yet to deliver a fix via iOS and OS X software updates so for the time being users are advised not to install apps from unknown sources, and be especially cognizant of any suspicious password prompts.

Source: The Register