Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Major Keychain Vulnerability in iOS and OS X

Posted by Soulskill on from the software-complexity-breeds-security-researchers dept.

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

12 of 78 comments (clear)

  1. Re:That's Apple by captnjohnny1618 · · Score: 4, Insightful

    Perhaps it's a non-trivial flaw in how they've implemented things and it's going to require nothing short of an overhaul. Six months is nothing to fully implement, test and roll out a fix. I write a software package used in house at a company I work for and it can take weeks to find, fix and test even minor bugs. Just sayin'. You also want to be sure to not introduce new bullshit in your fix. Rush it and you're much more likely to do so and that'll look even worse on such a critical system like this one.

    Granted, asking a researcher to not publish results is pretty lame. People have a right to know if they're vulnerable or not.

  2. No Keychain by DanJ_UK · · Score: 2

    To be fair I don't even use the keychain for anything other than wifi network passwords.

    --
    - Dan
    1. Re:No Keychain by michelcolman · · Score: 3, Interesting

      Take a look in your KeyChain to see what else it stores that you may not even know about. Logins for websites, for example.

    2. Re:No Keychain by DanJ_UK · · Score: 2, Insightful

      I never store any passwords, card details, I don't use autocomplete etc, my keychain is very, very empty.

      Apart from the 6 dozen wifi networks my laptop has connected to.

      Safest place for any password is in your head, I even know all my cards off the top of my head.

      --
      - Dan
    3. Re:No Keychain by Anubis+IV · · Score: 4, Informative

      It's not just the built-in Keychain that's compromised. They've also managed to use these attacks to snoop on inter-process communication when they shouldn't be able to, such as that between the 1Password Mini extension that runs in the browser and the 1Password app that's responsible for the encrypted vault with all of a user's passwords. By doing so at the right time, they can capture any information exchanged between the two.

      Of course, there are easier ways to capture that particular data, such as simply making a malicious browser extension that captures usernames and passwords. You could likely get better distribution by doing so, not to mention avoiding any scrutiny that might come from the review process for the Mac App Store or iOS App Store.

      Even so, the fact that this is possible opens up a whole variety of attacks, many of which can compromise more significant amounts of data. For instance, they demonstrated an attack on Evernote that compromises all of the user's notes. Many people keep way too much sensitive information in Evernote, and an attack like this could really burn them.

    4. Re:No Keychain by DanJ_UK · · Score: 2
      discussion (d-skshn)
      n.
      1. 1. Consideration of a subject by a group; an earnest conversation.
      2. 2. A formal discourse on a topic; an exposition.
      --
      - Dan
    5. Re:No Keychain by raque · · Score: 2

      Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

  3. Re:That's Apple by Anonymous Coward · · Score: 2

    There is also regression testing. Done wrong, there are a lot of subsystems that will wind up broken.

    I do agree that asking not to public results is lame, but I respect the researcher in heeding that, as KeyChain is a security critical element. I also understand that just hinting at a point of a vulnerability will get people going through things with a fine-toothed comb to find it.

    So far, Apple seems to be doing OK when it comes to security. Even jailbreaks are history these days.

  4. Re:Ouch by Anonymous Coward · · Score: 3, Insightful

    Gloating over something like that would be pretty weird. Some people can't just enjoy their toys without pretending to be better than people who choose other toys.

  5. Order of operations is important by berj · · Score: 5, Insightful

    It looks like the attacking app needs to be run before the attacked apps have had a chance to put their own entries in keychain.

    From their videos they run their "malware" first, setup an empty keychain entry for whatever it is they'd like the password for (eg. iCloud or facebook through chrome). Then they run the app in question which fills in the password into the earlier created keychain entry. Since the malware is the one who created the keychain entry, it has access to the password.

    Definitely a vulnerability. But the attack window seems smallish. But, of course, that varies with a user's activities. If they setup their icloud when they installed (or first logged in) or before they did anything else then it looks like the malware can't do anything. But it still leaves a pretty big window.

    I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it". Non-trivial changes, I'm sure.

    Definitely an ugly one.

  6. Re:That's Apple by AmiMoJo · · Score: 4, Insightful

    Maybe it is non-trivial to fix, but the lack of communication with the original author isn't good. Also, if something is going to take that long to fix the only reasonable thing to do is to publish an advisory so people can defend themselves. If this researcher found it, others can find it. If the only mitigation is to stop using the product, then you have to be honest and say that.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. Re:That's Apple by sudon't · · Score: 2

    What they're complaining about is that they never heard back from Apple at the end of the six months. I'm sure that if Apple rang them up and said, "Hey, we're still working on a fix", that they'd have been willing to continue withholding publication. No mention of whether the researchers tried to contact Apple again at that time.

    It's much better practice to allow a company to close a hole, than to inform users, who, in most instances, could do fuck all with that knowledge, anyway. On the other hand, there are other people who could make use of that knowledge, and that's who you want to keep in the dark, if at all possible.

    --
    -- sudon't

    Air-ride Equipped