Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Major Keychain Vulnerability in iOS and OS X

Posted by Soulskill on from the software-complexity-breeds-security-researchers dept.

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

46 of 78 comments (clear)

  1. Apple fans: Circle the wagons! by Anonymous Coward · · Score: 1

    - "This could happen on Android, Windows and Linux, not just on Apple!"

    - "It's only theoretical. It cannot happen in practice."

    - "This is not how it works. It's because you don't know how to use your Mac/iPhone.."

    1. Re:Apple fans: Circle the wagons! by pdclarry · · Score: 1

      - "This could happen on Android, Windows and Linux, not just on Apple!"

      -

      Um, It HAS happened on Android also: Critical flaws in Apple & Samsung Devices

  2. Re:That's Apple by captnjohnny1618 · · Score: 4, Insightful

    Perhaps it's a non-trivial flaw in how they've implemented things and it's going to require nothing short of an overhaul. Six months is nothing to fully implement, test and roll out a fix. I write a software package used in house at a company I work for and it can take weeks to find, fix and test even minor bugs. Just sayin'. You also want to be sure to not introduce new bullshit in your fix. Rush it and you're much more likely to do so and that'll look even worse on such a critical system like this one.

    Granted, asking a researcher to not publish results is pretty lame. People have a right to know if they're vulnerable or not.

  3. No Keychain by DanJ_UK · · Score: 2

    To be fair I don't even use the keychain for anything other than wifi network passwords.

    --
    - Dan
    1. Re:No Keychain by michelcolman · · Score: 3, Interesting

      Take a look in your KeyChain to see what else it stores that you may not even know about. Logins for websites, for example.

    2. Re:No Keychain by DanJ_UK · · Score: 2, Insightful

      I never store any passwords, card details, I don't use autocomplete etc, my keychain is very, very empty.

      Apart from the 6 dozen wifi networks my laptop has connected to.

      Safest place for any password is in your head, I even know all my cards off the top of my head.

      --
      - Dan
    3. Re:No Keychain by FranTaylor · · Score: 1

      Safest place for any password is in your head

      Yeah when you're recuperating from a broken leg and you're all laced up with pain killers, you need to order stuff online because you can't get out, and you can't remember your password. How awesome is that?

    4. Re:No Keychain by Anubis+IV · · Score: 4, Informative

      It's not just the built-in Keychain that's compromised. They've also managed to use these attacks to snoop on inter-process communication when they shouldn't be able to, such as that between the 1Password Mini extension that runs in the browser and the 1Password app that's responsible for the encrypted vault with all of a user's passwords. By doing so at the right time, they can capture any information exchanged between the two.

      Of course, there are easier ways to capture that particular data, such as simply making a malicious browser extension that captures usernames and passwords. You could likely get better distribution by doing so, not to mention avoiding any scrutiny that might come from the review process for the Mac App Store or iOS App Store.

      Even so, the fact that this is possible opens up a whole variety of attacks, many of which can compromise more significant amounts of data. For instance, they demonstrated an attack on Evernote that compromises all of the user's notes. Many people keep way too much sensitive information in Evernote, and an attack like this could really burn them.

    5. Re:No Keychain by snookiex · · Score: 1

      That sounds like a perfect "edge case". It's incredible, though, the amount of people that heavily rely on auto-saved stuff.

      --
      Open Source Network Inventory for the masses! Kuwaiba
    6. Re:No Keychain by wonkey_monkey · · Score: 1, Informative

      I don't even use the keychain for anything other than wifi network passwords.

      I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

      --
      systemd is Roko's Basilisk.
    7. Re:No Keychain by DanJ_UK · · Score: 1

      Hardly, all my passwords have uppercase, lowercase characters, numbers and special characters.

      I sometimes forget one and have to reset it via email, but my email and apple ID passwords are some of the strongest of all of them.

      For one off accounts or sites I don't give a shit about I tend to choose trivial passwords, ironically they're usually the ones I forget.

      --
      - Dan
    8. Re:No Keychain by DanJ_UK · · Score: 1

      I find it quicker to type out an address or any form while tabbing through it than correcting an autocomplete tool that got it wrong or missed a field, guess it depends how quick you type.

      --
      - Dan
    9. Re:No Keychain by DanJ_UK · · Score: 2
      discussion (d-skshn)
      n.
      1. 1. Consideration of a subject by a group; an earnest conversation.
      2. 2. A formal discourse on a topic; an exposition.
      --
      - Dan
    10. Re:No Keychain by raque · · Score: 2

      Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

    11. Re:No Keychain by Anonymous Coward · · Score: 1

      In the paper it's pointed out that the 1Password exploit is possible because it's using a local WebSocket and the main app doesn't validate that the process talking to it is actually the Mini extension. The paper points out that it would be ideal if Apple provided an API to do this sort of validation the application developer could implement their own solution.

      The built-in keychain issue is that on the Mac each item's access is controlled by a ACL. Another app with a forged bundle ID (com.appdev.foo) could create an item and then wait for the actual app with the ID of com.appdev.foo to access the keychain. Finding an existing item it will ask to use it and the nefarious app can then collect the data. The paper points out a mitigation for this one as well, the developer can simply check the ACL to see if anyone else has attached themselves to it before they write secure data to it.

      The cross-sandbox file issue is due to forged app IDs as well on helper processes and the fact that OS X uses the bundle ID as the name of the sandbox as opposed to a random string like iOS.

      There are no new iOS vulnerabilities in the paper at all. URL Scheme spoofing is pretty old and is getting locked down more in iOS 9.

    12. Re:No Keychain by XxtraLarGe · · Score: 1

      I don't even use the keychain for anything other than wifi network passwords.

      I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

      And yet you still did...

      --
      Taking guns away from the 99% gives the 1% 100% of the power.
    13. Re:No Keychain by mjwx · · Score: 1

      Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

      Most, if not all of my passwords are 5 characters.

      I simply take a four letter word like "farm" and a number and capitalise the first letter so it becomes "Farm4". Then I simply multiply that to meet complexity requirements and add a special character corresponding to the number if need be so it becomes something like "Farm4farm4", "Farm4$farm4$" or "Farm4farm4farm4farm4farm4" but all I need to remember is "Farm4" and how many times it is duplicated.

      The problem with most people is that they trust explicitly rather than being careful when they need to be and lax when high security is unnecessary. I break the cardinal password rule when dealing with things like online forums and sites that I consider disposable and have no access to sensitive information, I use the same password and let Firefox or Chrome remember it. When it comes to things like my bank, important email accounts, phone and Internet services, my work account, I use a unique password and I dont allow anything to remember it.

      However I'll never use an external service to remember my password, not even for something I'd consider disposable like my OzHonda forum login. The recent LastPass hack has demonstrated why.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  4. And they mocked windows for IAC ruthlessly... oh.. by Anonymous Coward · · Score: 1

    "these problems are caused by the lack of app-to-app and app-to-OS authentications"

  5. Re:That's Apple by Anonymous Coward · · Score: 2

    There is also regression testing. Done wrong, there are a lot of subsystems that will wind up broken.

    I do agree that asking not to public results is lame, but I respect the researcher in heeding that, as KeyChain is a security critical element. I also understand that just hinting at a point of a vulnerability will get people going through things with a fine-toothed comb to find it.

    So far, Apple seems to be doing OK when it comes to security. Even jailbreaks are history these days.

  6. Hacks by BobSwi · · Score: 1

    So that's how that hacker 4chan did it! /s

  7. Re:Ouch by Anonymous Coward · · Score: 3, Insightful

    Gloating over something like that would be pretty weird. Some people can't just enjoy their toys without pretending to be better than people who choose other toys.

  8. Re:That's Apple by null+etc. · · Score: 1

    In 2009, I alerted Apple to a major security flaw in their dev portal, in which anyone with an account could lock out admin access of any other account in the portal. I called their support hotline, and got a cocky rep from Ireland who assured me that no, such a thing was not possible, and that my understanding of the situation must be incorrect.

    I wonder if they've ever fixed that issue, especially when they took the dev portal offline for a few months to fix other glaring security issues.

  9. Email by Anonymous Coward · · Score: 1

    Keychain keeps your email passwords. Based on that the hacker can have access to your entire web accounts: financial, shoppings, social media, etc. This reminds me to turn off iMessage's access to phone text messages to at least keep the sms secure from same attack vector. Most financial accounts has two factor verification.

    1. Re:Email by FranTaylor · · Score: 1

      No, it does not keep your email passwords if you don't use OSX to read your email.

  10. Order of operations is important by berj · · Score: 5, Insightful

    It looks like the attacking app needs to be run before the attacked apps have had a chance to put their own entries in keychain.

    From their videos they run their "malware" first, setup an empty keychain entry for whatever it is they'd like the password for (eg. iCloud or facebook through chrome). Then they run the app in question which fills in the password into the earlier created keychain entry. Since the malware is the one who created the keychain entry, it has access to the password.

    Definitely a vulnerability. But the attack window seems smallish. But, of course, that varies with a user's activities. If they setup their icloud when they installed (or first logged in) or before they did anything else then it looks like the malware can't do anything. But it still leaves a pretty big window.

    I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it". Non-trivial changes, I'm sure.

    Definitely an ugly one.

    1. Re:Order of operations is important by Anonymous Coward · · Score: 1

      I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it".

      Already there. The glossary for the documentation on Apple's site (at https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/glossary/glossary.html) has the following:

      access control list (ACL)

      A structure containing information describing what must happen (display a confirmation dialog, ask for a password, and so forth) in order to permit a specific operation to occur. An ACL may also contain a list of applications that are always trusted to perform that operation. Each keychain item has one or more associated ACLs, and each ACL applies to a single operation that can be done with that item, such as encrypting or decrypting it. See also access object.

    2. Re:Order of operations is important by SQLGuru · · Score: 1

      Easy enough to spam the keychain with any of the "interesting" options.....if it's already there and fails, skip it, otherwise, the malware is prepped for a value getting added in the "YourBank" entry to whatever else.

    3. Re:Order of operations is important by FellowConspirator · · Score: 1

      Not only that, but apps can detect that happening and remove access from the malware before they save a password. The point is that most vendors don't bother looking at the access control list for keychain items. This is discussed in the developer docs for Keychain Access Controls.

    4. Re:Order of operations is important by Coward+Anonymous · · Score: 1

      Not quite. The attack is easily extensible so that the attackers can "run before" the target app at any time by simply deleting the keychain entry and recreating it with a new ACL that permits the target app and themselves access to the entry. From the user's perspective, they see an unexplained repeat prompt to enter their password which they'll gladly do and from there on, the attackers have access to the password.

      These security holes are quite awful.

  11. Every week now by koan · · Score: 1

    Should Edward Snowden Trust Apple To Do the Right Thing?

    http://yro.slashdot.org/story/...

    What do you think?

    Researchers Find Major Keychain Vulnerability in iOS and OS X

    http://it.slashdot.org/story/1...

    --
    "If any question why we died, Tell them because our fathers lied."
  12. Re:That's Apple by FranTaylor · · Score: 1

    such as disallowing modification of system files regardless of an application's permission level.

    So buggy insecure code somehow becomes secure if you can't modify it?

  13. Re:That's Apple by AmiMoJo · · Score: 4, Insightful

    Maybe it is non-trivial to fix, but the lack of communication with the original author isn't good. Also, if something is going to take that long to fix the only reasonable thing to do is to publish an advisory so people can defend themselves. If this researcher found it, others can find it. If the only mitigation is to stop using the product, then you have to be honest and say that.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  14. Re:That's Apple by captnjohnny1618 · · Score: 1

    Agreed. Or at the very least, make statement/advisory now that the paper has been published and supposedly the software exploit is alive and well in the App store(s).

  15. Re:RPG by captnjohnny1618 · · Score: 1

    "The secret token of Evernote" would be a great RPG title.

    ... or a porn about a character named Evernote. (sorry about the repost, forgot to quote the parent in the original.)

  16. Re: That's Apple by scum-e-bag · · Score: 1

    Not being able to change libstdc++ may have its advantages.

    --
    Does it go on forever?
  17. Re:That's Apple by sudon't · · Score: 2

    What they're complaining about is that they never heard back from Apple at the end of the six months. I'm sure that if Apple rang them up and said, "Hey, we're still working on a fix", that they'd have been willing to continue withholding publication. No mention of whether the researchers tried to contact Apple again at that time.

    It's much better practice to allow a company to close a hole, than to inform users, who, in most instances, could do fuck all with that knowledge, anyway. On the other hand, there are other people who could make use of that knowledge, and that's who you want to keep in the dark, if at all possible.

    --
    -- sudon't

    Air-ride Equipped

  18. "researchers?" by slashmydots · · Score: 1

    Why would "researchers" even bother? Apple is just going to sue them and cover it up. Don't they read tech headlines?

  19. Re: Nesil Hosting by DanJ_UK · · Score: 1

    ...and slashdot with all its tweaks couldn't implement a decent captcha. gg

    --
    - Dan
  20. The cynic/conspiracy theorist in me wonders... by lyran74 · · Score: 1

    whether companies don't hold back on fixes to these reported bugs as a concession to governments... could companies offering private services like iMessage patch some holes, while serving up others to the spooks with the understanding they have a limited time-frame to work, in exchange for generally being left alone?

  21. Re:That's Apple by TheP4st · · Score: 1

    users, who, in most instances, could do fuck all with that knowledge, anyway.

    It is not that bloody hard to switch to another platform in the case of an OS flaw, or hardware vendor in the case of something like the Samsung keyboard hack. A hassle? Yes. But certainly not a case where a user "could do fuck all" at least now iOS and Samsung users can make an informed decision whether to take the risk of sticking with their device or move elsewhere.

    On the other hand, there are other people who could make use of that knowledge, and that's who you want to keep in the dark

    Which is why responsible researchers wait for a reasonable time before releasing their findings to the public, in this case they waited the 6 months requested from them by Apple.

    --
    "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
  22. Re:That's Apple by TheP4st · · Score: 1

    Wow nice way of ignoring the second part of my post where I write that Apple were informed by the researchers 6 months ago. so at a minimum this is how long they have been aware of it but left it unpatched since then. And when Apple were informed they asked the researchers to wait 6 months before going public, which they did! Ignoring an issue doesn't make it go away.
    And seriously. How many of the apps you bought do you actually need? My bet, not as many you might believe

    --
    "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
  23. Re:Ouch by Anonymous Coward · · Score: 1

    Because some people think that their choice of phone says something about themselves, frankly choosing between the iPhone and a Galaxy is just having an F150 or a Silverado, its the exact same thing that millions of other people have. Much like the iPad/GalaxyTab/Surface, that product that diehards camp on the street for, covet in the corner of the coffee shop and define themselves by is the exact same product that brickies throw around on the jobsite, 12 years olds get in mass handouts at their schools and/or you get (often pretty scratched up) as a glorified menu at some restaurants.

    It is a tool for a job, no need to develop an emotional attachment to it or the company that makes it.

  24. Re:That's Apple by znrt · · Score: 1

    Six months is nothing to fully implement, test and roll out a fix.

    if i got this right, the unauthorized cross-app resource access is a design flaw in the way different apps are allowed to interact. the apps are already out there. there is no fix unless you are willing to fix all affected apps as well, or break them.

    this is a very serious issue and apple's silence and inaction is truly astonishing. at least some mitigation patch would be in place, asking the user's permission whenever any such interactions are about to happen.

  25. Re:Ouch by Jeremy+Erwin · · Score: 1

    In America, author uses analogy; In Soviet Russia, analogy uses author.

    Yes, the F150 is popular. Yes, the iPad is popular. But the analogy ends there.

  26. Re: Keychain is for Luddites. by arglebargle_xiv · · Score: 1

    You should try my Appchain app. It apps all your apps into one app. It even apps its own app into the app.

    Yeah, but does it tech the tech? Everyone knows you need to be able to tech the tech to the warp drive to fix serious problems.

  27. Re:Ouch by exomondo · · Score: 1

    Yes, the F150 is popular. Yes, the iPad is popular. But the analogy ends there.

    Kind of, but he's right: They are the most common, defacto choice because they are a good workhorse tool for the job. The Android world is full of choice - which can be a good thing - but if you aren't really fussed with that then you just get whatever everybody else has, which is an iPhone - it might be boring to do that but in that circumstance it's the logical thing to do...that's certainly what I did.