A number of dedicated security researchers from the University of Indiana and the Georgia Institute of Technology have presented proof of a number of zero-day flaws within Apple’s iOS and OS X operating systems. The discovery, which in itself sounds startling and will likely cause concern amongst a lot of Apple device owners, also means that it’s theoretically possible for hackers to essentially crack Apple’s Keychain and remove sensitive information such as passwords directly from the Mac, iPhone or iPad running a malicious software.
If ever there was proof needed that these zero-day flaws existed, then the teams involved in the discovery have proved it. The researchers from both institutions not only made the discovery but were also able to upload an app to the App Store review team containing malware that managed to pass any security systems that Apple has in place and was accepted for distribution. The uploaded software had internal capabilities that allowed it to access Keychain sensitive data such as passwords pertaining to a user’s iCloud and email accounts as well as stored information from within the native Google Chrome iOS app.
The discovery was actually made some time ago, but after passing the information to Apple, the team has complied with a request that they wait a period of six months before publicly publishing or discussing the information. Apple hasn’t officially commented on the situation, nor has it patched the vulnerabilities in either iOS or OS X at the time of writing, which has led the researchers to provide additional detail regarding the flaws in their “Unauthorized Cross-App Resource Access on MAC OS X and iOS” white paper.
Luyi Xing, lead researcher from the University of Indiana, provided more details to The Register:
Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome. Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.
We don’t know what’s more concerning; the fact that team managed to “completely crack the Keychain service” with relative ease, or that Apple has known about this vulnerability for close to six months and still hasn’t put the necessary fixes in place.