Critical vulnerabilities in OS X and iOS allow malicious could steal information in your key ring and password apps.
Six researchers from Indiana University and the Georgia Institute of Technology have published a paper in which they document serious security holes in Apple’s operating system iOS and OS X. This can allow intruders to steal information from the systems key and password to apps, both Apple’s own and third party.
One of the researchers is Luyi Xing, which tells about the problems for The Record:
” Recently we discovered a series of surprising vulnerability in Apple’s Mac OS and iOS that allows a malicious app to get unauthorized access to other appars sensitive data such as passwords and tokens for iCloud, the Mail app and all web passwords stored by Google Chrome. ”
Researchers have managed to upload apps that contain malicious software, known as malware, Apple’s own store Mac App Store. Once the software is installed on a user’s Mac may be used to steal information in your key ring so that passwords include iCloud app Mail.
The research team say they contacted Apple about this already in October last year. Apple should have answered and asked for six months to fix the problems before the paper was published. In February, asked Apple if an advance copy of the paper, but there are still security holes remain. Approximately 88 percent of the 1,612 applications for OS X and 200 iOS apps were found to be “fully exposed” for the unauthorized access from the malicious app. Xing says:
“Our nasty app went successfully through Apple’s review process and published on both Apple’s Mac App Store and the iOS App Store. We cracked the entire key ring service that is used to store passwords and other data for various Apple apps – and sandbox containers on OS X, and identified new weaknesses in communication between apps on OS X and iOS that can be used to steal confidential data from Evernote, Facebook, and other high-profile applications. “
Google’s security team for the Chrome browser has also been contacted by the researchers, who responded by removing the app’s integration with key ring in OS X . Agilebits, the developers behind the app 1Password stated in a blog post that they are not able to find a reliable way to protect their app against similar attacks. Agilebits stresses, however, that the attack does not give full access to the data in 1Password, but the password sent from a browser to the supplement 1Password Mini.
Apple has not yet commented officially about the problems. Until further recommended vigilance over which apps installed on their devices, even those that are downloaded from Apple’s app stores. It is also a good practice not to store particularly sensitive information, such as login to banks, browser, or password manager.