Security researchers have found a way to crack Apple’s keychain making it possible to steal passwords from any installed app including the native the Mail app without being detected.
Indiana University’s Luyi Xing, Xiaolong Bai, XiaoFeng Wang, and Kai Chen, joined Tongxin Li of Peking University and Xiaojing Liao of Georgia Institute of Technology to publish the paper Unauthorized Cross-App Resource Access on MAC OS X and iOS.
“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome,” Xing told The Register. “Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.”
“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
The security flaws are still present in Apple’s operating system today despite being submitted to Apple in October 2014. About 88.6% of 1612 Mac and 200 iOS apps tested were found to be “completely exposed” to this attack.
https://youtu.be/7NGlmWtw83s
Notably, Apple may not have issued a fix yet due to the complexity of resolving it. Apple asked the researchers to grant them a six month extension before disclosing the vulnerability and in February asked them to see an advance copy of the research paper before it went public.
https://www.youtube.com/watch?v=S1tDqSQDngE
When notified of the bug, Google’s security team removed Keychain integration from their Chrome browser and noted that it likely could not be solved at the application level. AgileBits, who makes 1Password, said it could not find a way to ward off the attack or make the malware “work harder” some four months after its disclosure.
https://www.youtube.com/watch?v=IYZkAIIzsIo
“Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense,” said the researchers.
via The Register
Megan says
Hi, I’m Megan and I work for AgileBits, the makers of 1Password.
I just wanted to clarify here that the attack described in this research is not directed at the encrypted 1Password database. For our security expert’s thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we’d love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.