Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Major Keychain Vulnerability in iOS and OS X

Posted by Soulskill on from the software-complexity-breeds-security-researchers dept.

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

2 of 78 comments (clear)

  1. Re:No Keychain by Anubis+IV · · Score: 4, Informative

    It's not just the built-in Keychain that's compromised. They've also managed to use these attacks to snoop on inter-process communication when they shouldn't be able to, such as that between the 1Password Mini extension that runs in the browser and the 1Password app that's responsible for the encrypted vault with all of a user's passwords. By doing so at the right time, they can capture any information exchanged between the two.

    Of course, there are easier ways to capture that particular data, such as simply making a malicious browser extension that captures usernames and passwords. You could likely get better distribution by doing so, not to mention avoiding any scrutiny that might come from the review process for the Mac App Store or iOS App Store.

    Even so, the fact that this is possible opens up a whole variety of attacks, many of which can compromise more significant amounts of data. For instance, they demonstrated an attack on Evernote that compromises all of the user's notes. Many people keep way too much sensitive information in Evernote, and an attack like this could really burn them.

  2. Re:No Keychain by wonkey_monkey · · Score: 1, Informative

    I don't even use the keychain for anything other than wifi network passwords.

    I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

    --
    systemd is Roko's Basilisk.