Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Major Keychain Vulnerability in iOS and OS X

Posted by Soulskill on from the software-complexity-breeds-security-researchers dept.

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

78 comments

  1. Keychain is for Luddites. by Anonymous Coward · · Score: 0

    Modern app appers secure apps using other apps, not Luddite Keychains!

    Apps!

    1. Re:Keychain is for Luddites. by Anonymous Coward · · Score: 0

      Appers using keychains instead of apps? Appalling!

    2. Re: Keychain is for Luddites. by Anonymous Coward · · Score: 0

      You should try my Appchain app. It apps all your apps into one app. It even apps its own app into the app.

    3. Re: Keychain is for Luddites. by arglebargle_xiv · · Score: 1

      You should try my Appchain app. It apps all your apps into one app. It even apps its own app into the app.

      Yeah, but does it tech the tech? Everyone knows you need to be able to tech the tech to the warp drive to fix serious problems.

  2. Ouch by DanJ_UK · · Score: 0, Troll

    Ouch, serves me right for gloating at the Samsung keyboard exploit.

    --
    - Dan
    1. Re:Ouch by Anonymous Coward · · Score: 3, Insightful

      Gloating over something like that would be pretty weird. Some people can't just enjoy their toys without pretending to be better than people who choose other toys.

    2. Re:Ouch by Anonymous Coward · · Score: 1

      Because some people think that their choice of phone says something about themselves, frankly choosing between the iPhone and a Galaxy is just having an F150 or a Silverado, its the exact same thing that millions of other people have. Much like the iPad/GalaxyTab/Surface, that product that diehards camp on the street for, covet in the corner of the coffee shop and define themselves by is the exact same product that brickies throw around on the jobsite, 12 years olds get in mass handouts at their schools and/or you get (often pretty scratched up) as a glorified menu at some restaurants.

      It is a tool for a job, no need to develop an emotional attachment to it or the company that makes it.

    3. Re:Ouch by Jeremy+Erwin · · Score: 1

      In America, author uses analogy; In Soviet Russia, analogy uses author.

      Yes, the F150 is popular. Yes, the iPad is popular. But the analogy ends there.

    4. Re:Ouch by exomondo · · Score: 1

      Yes, the F150 is popular. Yes, the iPad is popular. But the analogy ends there.

      Kind of, but he's right: They are the most common, defacto choice because they are a good workhorse tool for the job. The Android world is full of choice - which can be a good thing - but if you aren't really fussed with that then you just get whatever everybody else has, which is an iPhone - it might be boring to do that but in that circumstance it's the logical thing to do...that's certainly what I did.

  3. That's Apple by Anonymous Coward · · Score: 0

    Sweep it under the rug and ignore it for 6 months - way to go iApple. Too bad it wasn't Google finding it or you wouldn't have had six months in which to do... nothing.

    1. Re:That's Apple by captnjohnny1618 · · Score: 4, Insightful

      Perhaps it's a non-trivial flaw in how they've implemented things and it's going to require nothing short of an overhaul. Six months is nothing to fully implement, test and roll out a fix. I write a software package used in house at a company I work for and it can take weeks to find, fix and test even minor bugs. Just sayin'. You also want to be sure to not introduce new bullshit in your fix. Rush it and you're much more likely to do so and that'll look even worse on such a critical system like this one.

      Granted, asking a researcher to not publish results is pretty lame. People have a right to know if they're vulnerable or not.

    2. Re:That's Apple by Anonymous Coward · · Score: 2

      There is also regression testing. Done wrong, there are a lot of subsystems that will wind up broken.

      I do agree that asking not to public results is lame, but I respect the researcher in heeding that, as KeyChain is a security critical element. I also understand that just hinting at a point of a vulnerability will get people going through things with a fine-toothed comb to find it.

      So far, Apple seems to be doing OK when it comes to security. Even jailbreaks are history these days.

    3. Re:That's Apple by Anonymous Coward · · Score: 0

      Wouldn't surprise me if the requested 6 month delay was because they thought they could have iOS9 and El Capitan out by now. Since neither are ready yet I wonder what Apple's response will be.

    4. Re:That's Apple by null+etc. · · Score: 1

      In 2009, I alerted Apple to a major security flaw in their dev portal, in which anyone with an account could lock out admin access of any other account in the portal. I called their support hotline, and got a cocky rep from Ireland who assured me that no, such a thing was not possible, and that my understanding of the situation must be incorrect.

      I wonder if they've ever fixed that issue, especially when they took the dev portal offline for a few months to fix other glaring security issues.

    5. Re:That's Apple by Anonymous Coward · · Score: 0

      Or they may be adding it to iOS 9 and OSX El Capitan. Both OSes are shipping with new security features, such as disallowing modification of system files regardless of an application's permission level.

    6. Re:That's Apple by FranTaylor · · Score: 1

      such as disallowing modification of system files regardless of an application's permission level.

      So buggy insecure code somehow becomes secure if you can't modify it?

    7. Re:That's Apple by AmiMoJo · · Score: 4, Insightful

      Maybe it is non-trivial to fix, but the lack of communication with the original author isn't good. Also, if something is going to take that long to fix the only reasonable thing to do is to publish an advisory so people can defend themselves. If this researcher found it, others can find it. If the only mitigation is to stop using the product, then you have to be honest and say that.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:That's Apple by captnjohnny1618 · · Score: 1

      Agreed. Or at the very least, make statement/advisory now that the paper has been published and supposedly the software exploit is alive and well in the App store(s).

    9. Re: That's Apple by scum-e-bag · · Score: 1

      Not being able to change libstdc++ may have its advantages.

      --
      Does it go on forever?
    10. Re:That's Apple by sudon't · · Score: 2

      What they're complaining about is that they never heard back from Apple at the end of the six months. I'm sure that if Apple rang them up and said, "Hey, we're still working on a fix", that they'd have been willing to continue withholding publication. No mention of whether the researchers tried to contact Apple again at that time.

      It's much better practice to allow a company to close a hole, than to inform users, who, in most instances, could do fuck all with that knowledge, anyway. On the other hand, there are other people who could make use of that knowledge, and that's who you want to keep in the dark, if at all possible.

      --
      -- sudon't

      Air-ride Equipped

    11. Re:That's Apple by TheP4st · · Score: 1

      users, who, in most instances, could do fuck all with that knowledge, anyway.

      It is not that bloody hard to switch to another platform in the case of an OS flaw, or hardware vendor in the case of something like the Samsung keyboard hack. A hassle? Yes. But certainly not a case where a user "could do fuck all" at least now iOS and Samsung users can make an informed decision whether to take the risk of sticking with their device or move elsewhere.

      On the other hand, there are other people who could make use of that knowledge, and that's who you want to keep in the dark

      Which is why responsible researchers wait for a reasonable time before releasing their findings to the public, in this case they waited the 6 months requested from them by Apple.

      --
      "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
    12. Re:That's Apple by michelcolman · · Score: 0

      O, yeah, when a flaw is found in iOS, you can just switch to Android and buy all the same apps you had on iOS. And then when another flaw is found in Android a couple of weeks later, you switch right back to iOS again. This time it's even easier because you only have to rebuy the apps you bought since the last switch. And if both platforms have open holes at the same time, well, just use an oldfashioned dumb phone for a while. Oh, you might even try a Microsoft phone (do they still make those?) for a while. See, plenty of options!

      Same for Mac OS X, Windows and Linux. Just buy multiple versions of all the apps you use in the office and you're all set. Or maybe try Haiku, I hear it has zero exploits in the wild.

    13. Re:That's Apple by TheP4st · · Score: 1

      Wow nice way of ignoring the second part of my post where I write that Apple were informed by the researchers 6 months ago. so at a minimum this is how long they have been aware of it but left it unpatched since then. And when Apple were informed they asked the researchers to wait 6 months before going public, which they did! Ignoring an issue doesn't make it go away.
      And seriously. How many of the apps you bought do you actually need? My bet, not as many you might believe

      --
      "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
    14. Re:That's Apple by znrt · · Score: 1

      Six months is nothing to fully implement, test and roll out a fix.

      if i got this right, the unauthorized cross-app resource access is a design flaw in the way different apps are allowed to interact. the apps are already out there. there is no fix unless you are willing to fix all affected apps as well, or break them.

      this is a very serious issue and apple's silence and inaction is truly astonishing. at least some mitigation patch would be in place, asking the user's permission whenever any such interactions are about to happen.

    15. Re: That's Apple by Anonymous Coward · · Score: 0

      Some of us actually buy quite expensive applications that do exceeding useful and important things in our professions.

      Unbelievable, I know.

    16. Re:That's Apple by Anonymous Coward · · Score: 0

      I don't think it's a good thing to inform the public if no fix is available, or it isn't even possible to find and avoid apps that exploit the holes, but instead Apple should clearly communicate with the discoverer and include a timeline when they are going to fix the problem, and when they intend to publish the fixes iOS version. IMHO they should ask for delays if they anticipate that they can't hold their initial schedule.

  4. Apple fans: Circle the wagons! by Anonymous Coward · · Score: 1

    - "This could happen on Android, Windows and Linux, not just on Apple!"

    - "It's only theoretical. It cannot happen in practice."

    - "This is not how it works. It's because you don't know how to use your Mac/iPhone.."

    1. Re:Apple fans: Circle the wagons! by pdclarry · · Score: 1

      - "This could happen on Android, Windows and Linux, not just on Apple!"

      -

      Um, It HAS happened on Android also: Critical flaws in Apple & Samsung Devices

    2. Re: Apple fans: Circle the wagons! by Anonymous Coward · · Score: 0

      Right on cue. Well done

    3. Re:Apple fans: Circle the wagons! by Anonymous Coward · · Score: 0

      He tried to make it obvious but clearly it still went over your head and you just ended up proving his point. So since it was not clear to you I will explain it: Apple fans (not necessarily Apple users, generally just the dedicated fanboys) try to dismiss and cover up criticism of Apple or flaws in its products by changing the topic of discussion by one or more of the ways listed above.

      Fanboys (again, not necessarily average Apple useres) have this idea that nobody who uses Apple products could possibly criticize them and so therefore it *must* be an attack by an Android user. Now as an Apple user this sort of security vulnerability and the lack of a fix or communication about it does worry me, the fact that Android has a similar vulnerability or even if it had thousands of critical vulnerabilities makes no difference to me whatsoever because I don't use it and I'm not suggesting I'm going to switch to it.

  5. No Keychain by DanJ_UK · · Score: 2

    To be fair I don't even use the keychain for anything other than wifi network passwords.

    --
    - Dan
    1. Re:No Keychain by michelcolman · · Score: 3, Interesting

      Take a look in your KeyChain to see what else it stores that you may not even know about. Logins for websites, for example.

    2. Re:No Keychain by DanJ_UK · · Score: 2, Insightful

      I never store any passwords, card details, I don't use autocomplete etc, my keychain is very, very empty.

      Apart from the 6 dozen wifi networks my laptop has connected to.

      Safest place for any password is in your head, I even know all my cards off the top of my head.

      --
      - Dan
    3. Re:No Keychain by FranTaylor · · Score: 1

      Safest place for any password is in your head

      Yeah when you're recuperating from a broken leg and you're all laced up with pain killers, you need to order stuff online because you can't get out, and you can't remember your password. How awesome is that?

    4. Re:No Keychain by Anubis+IV · · Score: 4, Informative

      It's not just the built-in Keychain that's compromised. They've also managed to use these attacks to snoop on inter-process communication when they shouldn't be able to, such as that between the 1Password Mini extension that runs in the browser and the 1Password app that's responsible for the encrypted vault with all of a user's passwords. By doing so at the right time, they can capture any information exchanged between the two.

      Of course, there are easier ways to capture that particular data, such as simply making a malicious browser extension that captures usernames and passwords. You could likely get better distribution by doing so, not to mention avoiding any scrutiny that might come from the review process for the Mac App Store or iOS App Store.

      Even so, the fact that this is possible opens up a whole variety of attacks, many of which can compromise more significant amounts of data. For instance, they demonstrated an attack on Evernote that compromises all of the user's notes. Many people keep way too much sensitive information in Evernote, and an attack like this could really burn them.

    5. Re:No Keychain by Anonymous Coward · · Score: 0

      Worse - it means that he has to personally remember every single web page password. Which means that either they're all trivially simple to remember, or they're all the same. Both of these vulnerabilities are likely to be much worse than the Keychain vulnerability (which is admittedly pretty bad). Not only that, but the Keychain vuln will likely get fixed pretty quickly, while his vulnerabilities will never get fixed.

    6. Re:No Keychain by snookiex · · Score: 1

      That sounds like a perfect "edge case". It's incredible, though, the amount of people that heavily rely on auto-saved stuff.

      --
      Open Source Network Inventory for the masses! Kuwaiba
    7. Re:No Keychain by wonkey_monkey · · Score: 1, Informative

      I don't even use the keychain for anything other than wifi network passwords.

      I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

      --
      systemd is Roko's Basilisk.
    8. Re:No Keychain by DanJ_UK · · Score: 1

      Hardly, all my passwords have uppercase, lowercase characters, numbers and special characters.

      I sometimes forget one and have to reset it via email, but my email and apple ID passwords are some of the strongest of all of them.

      For one off accounts or sites I don't give a shit about I tend to choose trivial passwords, ironically they're usually the ones I forget.

      --
      - Dan
    9. Re:No Keychain by DanJ_UK · · Score: 1

      I find it quicker to type out an address or any form while tabbing through it than correcting an autocomplete tool that got it wrong or missed a field, guess it depends how quick you type.

      --
      - Dan
    10. Re:No Keychain by DanJ_UK · · Score: 2
      discussion (d-skshn)
      n.
      1. 1. Consideration of a subject by a group; an earnest conversation.
      2. 2. A formal discourse on a topic; an exposition.
      --
      - Dan
    11. Re:No Keychain by raque · · Score: 2

      Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

    12. Re:No Keychain by Anonymous Coward · · Score: 1

      In the paper it's pointed out that the 1Password exploit is possible because it's using a local WebSocket and the main app doesn't validate that the process talking to it is actually the Mini extension. The paper points out that it would be ideal if Apple provided an API to do this sort of validation the application developer could implement their own solution.

      The built-in keychain issue is that on the Mac each item's access is controlled by a ACL. Another app with a forged bundle ID (com.appdev.foo) could create an item and then wait for the actual app with the ID of com.appdev.foo to access the keychain. Finding an existing item it will ask to use it and the nefarious app can then collect the data. The paper points out a mitigation for this one as well, the developer can simply check the ACL to see if anyone else has attached themselves to it before they write secure data to it.

      The cross-sandbox file issue is due to forged app IDs as well on helper processes and the fact that OS X uses the bundle ID as the name of the sandbox as opposed to a random string like iOS.

      There are no new iOS vulnerabilities in the paper at all. URL Scheme spoofing is pretty old and is getting locked down more in iOS 9.

    13. Re:No Keychain by XxtraLarGe · · Score: 1

      I don't even use the keychain for anything other than wifi network passwords.

      I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

      And yet you still did...

      --
      Taking guns away from the 99% gives the 1% 100% of the power.
    14. Re:No Keychain by Anonymous Coward · · Score: 0

      I don't even care to remember passwords. For simple sites where security doesn't matter, I just use the save password feature. For other accounts I just reset my password every time I forget my not easy to remember and always different password. I've my own email domain and just use a consistent way to create new email addresses on the fly, based on the website, whenever I need a new login. This makes it easy to avoid spam (filter on email address) and to track which website has given/sold my e-mail address to third party spammers (just look to what email address the spam is sent). I do write down important passwords in a non-digital notebook however.

    15. Re:No Keychain by Anonymous Coward · · Score: 0

      The built-in keychain issue is that on the Mac each item's access is controlled by a ACL. Another app with a forged bundle ID (com.appdev.foo) could create an item and then wait for the actual app with the ID of com.appdev.foo to access the keychain. Finding an existing item it will ask to use it and the nefarious app can then collect the data. The paper points out a mitigation for this one as well, the developer can simply check the ACL to see if anyone else has attached themselves to it before they write secure data to it.

      Can the bundle ID be spoofed by a signed app? (...and is there any process to limit which keys can sign apps with which ID?) OS X disallows running unsigned apps by default, so this may limit the exposure significantly as well.

      This may be in the paper, but I'm not clicking on a random drive.google.com link on the same platform that the security researched are claiming is vulnerable! Maybe I'm paranoid, but PDF has been used as an attack vector before and I've never seen an "academic paper" published this way. I'll check it out when I get home.

    16. Re:No Keychain by mjwx · · Score: 1

      Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

      Most, if not all of my passwords are 5 characters.

      I simply take a four letter word like "farm" and a number and capitalise the first letter so it becomes "Farm4". Then I simply multiply that to meet complexity requirements and add a special character corresponding to the number if need be so it becomes something like "Farm4farm4", "Farm4$farm4$" or "Farm4farm4farm4farm4farm4" but all I need to remember is "Farm4" and how many times it is duplicated.

      The problem with most people is that they trust explicitly rather than being careful when they need to be and lax when high security is unnecessary. I break the cardinal password rule when dealing with things like online forums and sites that I consider disposable and have no access to sensitive information, I use the same password and let Firefox or Chrome remember it. When it comes to things like my bank, important email accounts, phone and Internet services, my work account, I use a unique password and I dont allow anything to remember it.

      However I'll never use an external service to remember my password, not even for something I'd consider disposable like my OzHonda forum login. The recent LastPass hack has demonstrated why.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  6. And they mocked windows for IAC ruthlessly... oh.. by Anonymous Coward · · Score: 1

    "these problems are caused by the lack of app-to-app and app-to-OS authentications"

  7. Research paper date? by Anonymous Coward · · Score: 0

    Why does the research paper lack a date at the top? Is it still technically unpublished?

    The copyright for the paper states a $15 fee has to be paid for each distributed copy outside educational institutions as well. ???

  8. WRONG. by Anonymous Coward · · Score: 0, Troll

    It's not Apple's fault -- you're just not using encryption properly.

  9. Hacks by BobSwi · · Score: 1

    So that's how that hacker 4chan did it! /s

  10. Email by Anonymous Coward · · Score: 1

    Keychain keeps your email passwords. Based on that the hacker can have access to your entire web accounts: financial, shoppings, social media, etc. This reminds me to turn off iMessage's access to phone text messages to at least keep the sms secure from same attack vector. Most financial accounts has two factor verification.

    1. Re:Email by FranTaylor · · Score: 1

      No, it does not keep your email passwords if you don't use OSX to read your email.

  11. Order of operations is important by berj · · Score: 5, Insightful

    It looks like the attacking app needs to be run before the attacked apps have had a chance to put their own entries in keychain.

    From their videos they run their "malware" first, setup an empty keychain entry for whatever it is they'd like the password for (eg. iCloud or facebook through chrome). Then they run the app in question which fills in the password into the earlier created keychain entry. Since the malware is the one who created the keychain entry, it has access to the password.

    Definitely a vulnerability. But the attack window seems smallish. But, of course, that varies with a user's activities. If they setup their icloud when they installed (or first logged in) or before they did anything else then it looks like the malware can't do anything. But it still leaves a pretty big window.

    I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it". Non-trivial changes, I'm sure.

    Definitely an ugly one.

    1. Re:Order of operations is important by Anonymous Coward · · Score: 1

      I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it".

      Already there. The glossary for the documentation on Apple's site (at https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/glossary/glossary.html) has the following:

      access control list (ACL)

      A structure containing information describing what must happen (display a confirmation dialog, ask for a password, and so forth) in order to permit a specific operation to occur. An ACL may also contain a list of applications that are always trusted to perform that operation. Each keychain item has one or more associated ACLs, and each ACL applies to a single operation that can be done with that item, such as encrypting or decrypting it. See also access object.

    2. Re:Order of operations is important by SQLGuru · · Score: 1

      Easy enough to spam the keychain with any of the "interesting" options.....if it's already there and fails, skip it, otherwise, the malware is prepped for a value getting added in the "YourBank" entry to whatever else.

    3. Re:Order of operations is important by FellowConspirator · · Score: 1

      Not only that, but apps can detect that happening and remove access from the malware before they save a password. The point is that most vendors don't bother looking at the access control list for keychain items. This is discussed in the developer docs for Keychain Access Controls.

    4. Re:Order of operations is important by Anonymous Coward · · Score: 0

      "I'm guessing that the "fix" would be for there to be no way to share passwords among apps.."

      This seems like a flaw by itself. Why would App A need to know the credentials for App B? I didn't RTFA.

    5. Re:Order of operations is important by Anonymous Coward · · Score: 0

      In the paper, doesn't it say that an attacker can't read the contents of, but can still identify and delete privileged keychain entries. So you could find the names, delete the keychain, install your impostor, and off you go.

    6. Re:Order of operations is important by Anonymous Coward · · Score: 0

      > If they setup their icloud when they installed
      > (or first logged in) or before they did anything else
      > then it looks like the malware can't do anything.

      That suggests what the answer from Apple will be.

      Everything will live on the cloud now, from the first time you power up your hardware -- Apple will control it, not you.

      For your own good!

      Because Security!

    7. Re:Order of operations is important by Anonymous Coward · · Score: 0

      It'd also be easy to monitor for this - just open keychain and check if is full of spam.

    8. Re:Order of operations is important by Coward+Anonymous · · Score: 1

      Not quite. The attack is easily extensible so that the attackers can "run before" the target app at any time by simply deleting the keychain entry and recreating it with a new ACL that permits the target app and themselves access to the entry. From the user's perspective, they see an unexplained repeat prompt to enter their password which they'll gladly do and from there on, the attackers have access to the password.

      These security holes are quite awful.

  12. Every week now by koan · · Score: 1

    Should Edward Snowden Trust Apple To Do the Right Thing?

    http://yro.slashdot.org/story/...

    What do you think?

    Researchers Find Major Keychain Vulnerability in iOS and OS X

    http://it.slashdot.org/story/1...

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Every week now by Anonymous Coward · · Score: 0

      Right... I mean, the existence of a single vulnerability in an operating system implies that the people writing that operating system must be colluding with the government to introduce them.

    2. Re:Every week now by Anonymous Coward · · Score: 0

      Go back to RT

    3. Re:Every week now by Anonymous Coward · · Score: 0

      Right... I mean, the existence of a single vulnerability in an operating system implies that the people writing that operating system must be colluding with the government to introduce them.

      Well nobody said that "must" be the case but certainly given this significant security vulnerability was disclosed 6 months ago and the biggest and richest tech company in the world seems incapable of fixing their own product in that time nor providing any information about what they will do to secure the product should make you question whether this is a possibility. Yes there is the possibility that Apple is lazy and incompetent, there is also the possibility that they are colluding with governments to allow these vulnerabilities to exist.

    4. Re: Every week now by Anonymous Coward · · Score: 0

      The headline is disingenuous .

      The original paper found no keychain vulnerabilities in iOS (it explicitly states that iOS mitigated their attack methods that worked on OS X)

      The only iOS vulnerability in the paper is URL scheme hijacking, which has existed since iOS 2.0, and sounds much worse on paper than it is in practice. This is not a keychain attack. In addition the paper notes that Apple provides APIs that mitigate this vector as well, but few use them.

      The OS X XARA stuff is serious, but the Register has never been one to let facts get in the way of a snarky headline.

      Honestly it's at the level of the ex-FIFA VP claiming an article from the Onion proves his conspiracy theory

  13. RPG by Anonymous Coward · · Score: 0

    "The secret token of Evernote" would be a great RPG title.

    1. Re:RPG by captnjohnny1618 · · Score: 0

      ... Or a porn about a character named Evernote.

    2. Re:RPG by captnjohnny1618 · · Score: 1

      "The secret token of Evernote" would be a great RPG title.

      ... or a porn about a character named Evernote. (sorry about the repost, forgot to quote the parent in the original.)

    3. Re:RPG by Anonymous Coward · · Score: 0

      Have you ever considered eating your own turds?

  14. "researchers?" by slashmydots · · Score: 1

    Why would "researchers" even bother? Apple is just going to sue them and cover it up. Don't they read tech headlines?

  15. Re: Nesil Hosting by DanJ_UK · · Score: 1

    ...and slashdot with all its tweaks couldn't implement a decent captcha. gg

    --
    - Dan
  16. The cynic/conspiracy theorist in me wonders... by lyran74 · · Score: 1

    whether companies don't hold back on fixes to these reported bugs as a concession to governments... could companies offering private services like iMessage patch some holes, while serving up others to the spooks with the understanding they have a limited time-frame to work, in exchange for generally being left alone?

  17. Silly Attack Vector by Anonymous Coward · · Score: 0

    So you need to install a malicious app on your own device to be able to intercept your own data?

    Maybe that would help me not to forget my passwords.