Skip to main content

Major zero-day security flaws in iOS & OS X allow theft of both Keychain and app passwords

mac-os-x-ios-hack

Researchers from Indiana University and the Georgia Institute of Technology said that security holes in both iOS and OS X allow a malicious app to steal passwords from Apple’s Keychain, as well as both Apple and third-party apps. The claims appear to have been confirmed by Apple, Google and others.

We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps

The Register says the team reported the flaws to Apple in October of last year. At that time, Apple said that it understood the seriousness of the flaws and asked the researchers to give it six months to address them before the exploit was made public. In February, Apple requested an advance copy of the paper, yet the flaws remain present in the latest versions of both operating systems … 

Researchers were able to upload malware exploiting the vulnerabilities to both iOS and Mac App Stores, despite Apple’s vetting. The compromised apps were approved for both platforms.

The team say that they tested the exploit against a wide range of both Mac and iOS apps, and found that almost 90% of them were “completely exposed,” allowing the malware full access to data stored in the apps – including logins.

AgileBits, developer of the popular 1Password app, said that it could see no way to protect against the exploit. Google’s Chromium security team said that it believed it would be impossible to protect against the attack at an application level, and responded by removing Keychain integration for Chrome.

Based on a video released by the team (below), a commentator on Hacker News appears to be correct in suggesting that while the malware cannot directly access existing Keychain entries, it can do so indirectly by forcing users to login manually and then capturing those credentials in a newly-created entry.

Keychain items have access control lists, where they can whitelist applications, usually only themselves. If my banking app creates a keychain item, malware will not have access. But malware can delete and recreate keychain items, and add both itself and the banking app to the ACL. Next time the banking app needs credentials, it will ask me to reenter them, and then store them in the keychain item created by the malware

For now, the best advice would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores – and to be alert to any occasion where you are asked to login manually when that login is usually done by Keychain.

The researchers say the seriousness of the vulnerabilities cannot be over-emphasised.

The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed. Such findings […] are just a tip of the iceberg.

As ever, the best practice is never to allow either your browser or a password manager to store your most sensitive logins, such as for online banking.

[youtube=https://www.youtube.com/watch?v=IYZkAIIzsIo]

Check out additional videos over at The Register.

A separate Mac BIOS/EFI vulnerability revealed earlier this month would allow an attacker to take permanent control of a Mac even after reformatting the drive, while a bug in the iOS Mail app could allow convincing-looking phishing attacks.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. nelson1112233 - 9 years ago

    This is being re-ashed beyond stupidity.

    I’ve read the paper, and for it to work, an app file must be edited.

    No Mac App Store can do that no matter what.

    It’s impossible to do that to a Mac App Store without root (password) access.

    And after that, you have to allow that app to access the keychain first.

    • Ben Lovejoy - 9 years ago

      A malicious app disguised as a useful one can be uploaded to either App Store.

      • nelson1112233 - 9 years ago

        An app from the App Store can’t edit it’s plist file, you even need root access for that.

        The author edited the plist file behind the camera, and also authorized app’s complete access to Keychain.

      • Ben Lovejoy - 9 years ago

        You are suggesting they faked the video?

      • nelson1112233 - 9 years ago

        I’m not suggesting anything.

        Please read the paper.

      • Ben Lovejoy - 9 years ago

        The video appears to me to accurately reflect what the paper describes.

      • rnc - 9 years ago

        Why does he start with the App opened?

        Why is it on 10.10.0 and not on 10.10.3?

        Meh… whatever…

      • g0bez - 9 years ago

        The point is that the video starts with everything open already… it doesn’t show the (very important) fact that none of this is possible without the user’s password (a stunt to presumably hype up the severity of this bug). Arguably people are the easiest part of the computer to hack, but the point is that it isn’t like this can work just randomly. Getting this running on the mac in the first place is still a very big hurdle to overcome, which they don’t address here.

  2. PhilBoogie - 9 years ago

    My Keychain they can have, but please, do not let this result in the posting of nude celeb selfies!

  3. depicus - 9 years ago

    Two factor authentication would mitigate this but still not great.

  4. mpias3785 - 9 years ago

    Apple seems to be taking longer and longer to address problems in their operating systems. Nine months to fix the WiFi bug (and the fix hasn’t been released yet), a less common problem with Apple’s iCloud email has been plaguing some users for just as long and hasn’t even been acknowledged. Apple has known about this security hole since last October and hasn’t patched it.

    What are the programmers doing other than devising new ways to make every version of iTunes more confusing than the last?

    • lkrupp215 - 9 years ago

      So you think some of these flaws can be fixed in a few minutes? What about the affect a fix has on the rest of the code? Fix it here, break it there, lather, rinse, repeat. Some of this stuff takes a long time to analyze and come up with a real fix.

      Your assertion that Apple is taking longer and longer to fix things is in your mind only, a result of the instant gratification syndrome. Something isn’t working the way you think it should? Snap your finger and it’s fixed? OS X 10.11 El Capitan is apparently going to concentrate on stability and performance. Each release of OS X Yosemite has continued to squash bugs. Just because they weren’t one of your bugs doesn’t mean Apple is slacking off. I’m reasonably certain that bugs are prioritized based on severity and the number of users affected. Not all bugs are important.

      • vandiced - 9 years ago

        @Ikrupp215 are you a programmer?

      • mpias3785 - 9 years ago

        Forgetting the fact that I’ve had no junk mail filtered since I installed Yosemite the day it came out and a few other interesting problems I won’t get into, there are problems in iTunes and iOS that go back *years* that have yet to be addressed.

        I blame the yearly update schedule inflicted on the operating systems. Everyone is so enamored with Snow Leopard, and rightly so, but it took 23 months to get from 10.6 to 10.6.8. There was enough time to get it right. Yosemite is still buggy three quarters of the way through its life. If El Capitan is based on Yosemite then it’s based on buggy code and the bugs will just build up. Operating systems need time to mature and they’re not getting it.

      • Sean Bahrami (@seanb511) - 9 years ago

        I am a programmer and I do agree partially with this statement. Apple’s yearly release may be putting apple in a tight bind and they may not have enough resources to do both support the existing os and develop the new one. You have to keep in mind in order to make a annual release you have to build a platform for an annual release, and I don’t know if Mac OS X is actually built that way, they maybe transitioning it, but you have 11 years of work to do, and a lot of Mac OS X has never been battle tested like Windows, there is a reason they have patch Tuesday. I have been a Mac OS X user since 2005 and don’t plan on switching, but as programmer for over a decade, they are so many dynamics to fix these problems especially for an operating system. Adding more programmers does not solve the problem as it brings more complexity and people who are not familiar with how everything works. Yes this is an issue, but it could be that the fix is really large as it breaks the sandboxing, which is something that started being introduced as far back as leopard at the core level and its functionality has been increased with additional functionality and features. From Google’s assessment this could be a very large that may require Apple to rethink how they handle sandboxing and everything else in the long run, which is why an immediate fix is not a great thing or can be broken as Mac OS X infrastructure was not built for it.

  5. lkrupp215 - 9 years ago

    The article calls this a zero-day emergency but there’s no mention if these researchers have released proof of concept code to the hacker community (okay, the public). There’s no mention whether there are active exploits going on. I also don’t understand the ethical reasoning for researchers to release the code publicly after their six month grace period. I don’t buy the reason that it’s to put pressure on the software developer, Apple in this case. By releasing the exploit to the public they are putting users in danger. We don’t know why Apple hasn’t fixed this yet. It could be a very difficult task, it could still be in testing, it could be in the next release. Why couldn’t the researchers ask Apple if they need help in fixing it, if progress is being made. But no, after the six month grace period they release the exploit details, users be damned, blame Apple (or whoever). This sounds like classic chest thumping. You don’t help users by telling the bad guys how to attack them before a patch is available.

    Finally, there have been a number of these ‘the sky is falling’ exploits released and to my knowledge not a single one has gained any traction in the wild, mostly because they are not as simple as the security researchers would have us believe. Then add the paranoia of the hand-wringers to the mix.

    • Bill Richter - 9 years ago

      Workaround: Get your sensitive passwords out of Keychain/1Pass, etc. That’s why you release the info, to get info to the public. Uninformed != safe.

  6. Michael Weisberg - 9 years ago

    Apple needs to get their shit together and focus on security for once. Who the fuck cares about itunes and music when it is becoming this easy to steal creds.

    • Edison Wrzosek - 9 years ago

      Another comment by a side-line know-it-all… Do you work for Apple? Have you worked in software development on a product used by hundreds of MILLIONS, and need to make sure changes you make doesn’t bork something? I highly doubt it, yet you attempt to speak with such arrogant assertiveness it’s stunning. Don’t presume to speak about something you haven’t a clue about, will save yourself from looking like a complete fool.

      • Michael Weisberg - 9 years ago

        Do I work for Apple…No. However, the company I do work for has a dedicated Apple SME that I work very closely with. We have a great relationship with Apple.
        I work both in software and hardware development for many years now…I can speak with confidence on this.
        As I stated I work for a very large company within our MDM infrastructure and this effects us. Don’t presume to think what I know or don’t know on this subject.

      • Edison Wrzosek - 9 years ago

        Yes I can presume, because you’ve just admitted you don’t work for Apple, and working on an OS development team is MUCH different than working on just a standard application, so your experience in that area cannot be used as a baseline of comparison to an OS development team, and the complexities it entails! How do I know this? Because I have friends who work at (unfortunately) Microsoft on the Windows team, and I know from their own commentary, what’s involved in OS development and security patching, vs a standard application.

      • Bill Richter - 9 years ago

        No, you can’t presume, because you don’t work for Apple either, so, “your experience in that area cannot be used as a baseline of comparison to an OS development team and the complexities it entails” either.

        And no, your “friends” who work at M$ don’t trump his Apple contacts, nor do they give you any credibility here. At least he knows someone that actually works for Apple… smh

      • Tom Byrne - 9 years ago

        Fanboi..you are insecure congrats that is what you get for trusting Apple

      • Edison Wrzosek - 9 years ago

        I’m no fanboy, so piss off. I use what works, and the gear I’ve chosen is Apple, because in 20 years in IT, their products cause me the least amount of grief. You sound just all the others here who jump on this bullshit without even bothering to read the research paper, which exposes this as a flaw that will be VERY difficult to exploit in reality, and at present, is actually no threat at all. The videos presented also don’t demonstrate jack, as the steps needed to actually perform this attack are NOT shown, because it would illustrate this as being yet another hyperbole hit piece.

  7. Please read the article and understand it before you post crap about how Apple needs to get their security shit together.

    • Michael Weisberg - 9 years ago

      Stop coming to Apple’s defense on issues like this. This is a huge fail on their part and needs to be dealt with. Instead of putting a window dressing on iTunes Music and trying to compete with Spotify and Pandora, how about they work on security and stability of their operating systems.

      • Edison Wrzosek - 9 years ago

        He’s not coming to their (or anyone’s defence), and you’re just being defensive. There are safeguards in place in both the iOS and OS X App Stores, and the video doesn’t in fact show how he accomplished the modification of the PLIST file (an apparent requirement), as it was done off-camera.

        Also, you keep bringing up iTunes and Music as the reason Apple hasn’t addressed this, again trying to make yourself sound like a side-line know-it-all, when in fact you know jack shit about the inner workings of a company like Apple, who must be very careful not to release a patch that has the potential to not only screw up millions of machines / devices, but also thousands of third-party components.

        BTW, you might want to dig up the release notes Apple provides to developers on each release of OS X and iOS, not the public-facing ones; they are CHOCK full of security fixes, so obviously they aren’t sitting on their asses and not addressing security issues as you’re so vehemently attempting to imply in your defensive rants.

      • Michael Weisberg - 9 years ago

        Been doing this a long time and I am part of the MDM infrastructure group for a very very large company. As part of the iOS for IT dev program, I have access to all of that. I am not be defensive at all. You want defensive…go read the forums over at Mac Rumors.

        This is what Microsoft was like during the early XP years and they had egg on their faces for a long time.

      • Edison Wrzosek - 9 years ago

        Microsoft continues to have egg on it’s face to this very day, so not sure what you’re getting at. They’ve had egg on their face because of Windows Vista, Windows 8, and the saga continues, nothing new there.

        Being on a development team, no matter how large the company, is still no where close to being the same as being on a development team for an OPERATING SYSTEM. The complexities of coding an OS as vast and complicated as OS X or Windows far exceeds anything in your experience threshold, so you’re still not qualified to pass judgement on this matter.

      • rnc - 9 years ago

        “Instead of putting a window dressing on iTunes Music and trying to compete with Spotify and Pandora, how about they work on security and stability of their operating systems.”

        Now we all know what you came here for…

  8. If you have nothing to hide, you have nothing to fear.

    • ashtraywasp - 9 years ago

      Except if someone gets your passwords they could hijack your Apple ID straight out of your hands with no recourse available to you. They could get your mail account too, change the password and make sure you’ll never be able to gain access to it ever again.

      They could gain access to all your photos, all your messages, hell, every single iTunes purchase you’ve ever made, all your social media profiles.. basically your entire life, change some passwords and they’re out of your hands.

      But yeah.. keep reciting that Stalinesque line. It makes you sound clever.

    • chrisl84 - 9 years ago

      You have a pretty empty bank account if you have nothing to hide.

    • standardpull - 9 years ago

      If you have something to hide, you certainly stay far away from Google.

    • freediverx - 9 years ago

      “If you have nothing to hide, you have nothing to fear.”

      Was that quote from Hitler, Stalin, or Mao?

  9. dipaguco - 9 years ago

    So much for their new marketing scheme of privacy.

  10. Victor Panlilio - 9 years ago

    Reblogged this on Geek/Husband/Dad/Catholic and commented:
    OS X and iOS users, there’s a security flaw in both systems…”while the malware cannot directly access existing Keychain entries, it can do so indirectly by forcing users to login manually and then capturing those credentials in a newly-created entry.”

  11. Vadim Lozko - 9 years ago

    The headline is somewhat misleading. I read the paper and the keychain vulnerability is limited to OS X. There was no reference to any keychain vulnerability in iOS. The references to iOS in the paper are related to URL scheme hijacking. That in itself, while a problem, has nothing to do with the keychain and is not a method to steal passwords.

  12. srgmac - 9 years ago

    They had six months to come up with a fix for this and still have released nothing? Wow. Also, let’s not forget the rootpipe exploit was also reported to Apple in October of last year, and that has yet to be fixed as well. These are NOT the actions of a company who cares about privacy and security as much as they claim to. Think about all the money and resources they have, and how many genius caliber engineers that work there — there’s no excuse for taking any longer than 4-5 weeks to release a fix for these kind of exploits.

  13. Robert Rosimannus - 9 years ago

    I still wonder why only Estonia use Mobile ID and ID cards. All those problems would be gone. I have never used anything else than Mobile ID with online banking or other Estonian sites which include sensitive information. It has been like this for several years and years

  14. megsobrien - 9 years ago

    Hi, I’m Megan and I work for AgileBits, the makers of 1Password.

    For our security expert’s thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we’d love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.

    • lkrupp215 - 9 years ago

      Glad to see cooler heads piping in. We can do without the armchair quarterbacks of doom running around with their hair on fire, the know-nothing jerks who make nonsensical comments about security issues they neither understand nor are involved. It’s very easy to say Apple had six months to fix this and they didn’t so that makes them evil and incompetent… if you are ignorant of how things work.

  15. Bill Fray - 9 years ago

    Would it be helpful for now to remove current Safari extensions until the problem is fixed?

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear