Security Study Shows Serious iOS, OS X Flaws Allow Password Theft

Security Study Shows Serious iOS, OS X Flaws Allow Password Theft

A team of six researchers has discovered three serious vulnerabilities in Apple’s iOS and OS X operating systems. The flaws have been used to successfully steal data, including passwords and secret authentication keys.



Discovered by a team of six researchers at Indiana University, Georgia Tech, and China’s Peking University, the exploits rely on fundamental flaws in the implementation of Keychain’s access control lists, OS X’s app containers, and URL schemes that allow apps to call out to each other. Apple was notified of these vulnerabilities last October, the researchers told The Register, and then requested a six-month extension before the paper was made public, which was granted.

The Keychain vulnerability results from its inability to determine if an app should be allowed to modify Keychain entries. A malicious app can delete or create entries before the legitimate app has a chance to. The flaw has been used to retrieve a secret iCloud token, as well as retrieve passwords stored in Keychain by Google’s Chrome browser. Google will reportedly remove Keychain access until a fix is issued.

Another vulnerability exists in OS X’s app containers, which are designed to keep Mac App Store apps from accessing data belonging to other apps without explicit permission to do so. However, the Mac App Store doesn’t verify the uniqueness of Bundle IDs belonging to helper apps. By creating a malicious helper app with the same Bundle ID as an existing app, the bad guys can gain access to the app’s containers.

A flaw in the iOS and OS X URL Schemes allowed researchers to hijack the URL schemes of legitimate apps and grab any data passed between them.

While the flaws remain unpatched in the latest versions of OS X Yosemite, including betas, tests have not been made against the beta of OS X El Capitan, which was released to developers last week. Researchers say they were able to get apps containing the malware into both the Mac and iOS App Stores, saying the malware was not detected during the approval process.