Researchers Find Major Keychain Vulnerability in iOS and OS X

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

Re:That's Apple

[captnjohnny1618]

Perhaps it's a non-trivial flaw in how they've implemented things and it's going to require nothing short of an overhaul. Six months is nothing to fully implement, test and roll out a fix. I write a software package used in house at a company I work for and it can take weeks to find, fix and test even minor bugs. Just sayin'. You also want to be sure to not introduce new bullshit in your fix. Rush it and you're much more likely to do so and that'll look even worse on such a critical system like this one.

Granted, asking a researcher to not publish results is pretty lame. People have a right to know if they're vulnerable or not.

Re:Ouch

Gloating over something like that would be pretty weird. Some people can't just enjoy their toys without pretending to be better than people who choose other toys.

Re:No Keychain

[DanJ_UK]

I never store any passwords, card details, I don't use autocomplete etc, my keychain is very, very empty.

Apart from the 6 dozen wifi networks my laptop has connected to.

Safest place for any password is in your head, I even know all my cards off the top of my head.

Order of operations is important

[berj]

It looks like the attacking app needs to be run before the attacked apps have had a chance to put their own entries in keychain.

From their videos they run their "malware" first, setup an empty keychain entry for whatever it is they'd like the password for (eg. iCloud or facebook through chrome). Then they run the app in question which fills in the password into the earlier created keychain entry. Since the malware is the one who created the keychain entry, it has access to the password.

Definitely a vulnerability. But the attack window seems smallish. But, of course, that varies with a user's activities. If they setup their icloud when they installed (or first logged in) or before they did anything else then it looks like the malware can't do anything. But it still leaves a pretty big window.

I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it". Non-trivial changes, I'm sure.

Definitely an ugly one.

Re:That's Apple

[AmiMoJo]

Maybe it is non-trivial to fix, but the lack of communication with the original author isn't good. Also, if something is going to take that long to fix the only reasonable thing to do is to publish an advisory so people can defend themselves. If this researcher found it, others can find it. If the only mitigation is to stop using the product, then you have to be honest and say that.