Researchers from Indiana University and the Georgia Institute of Technology said that security holes in both iOS and OS X allow a malicious app to steal passwords from Apple’s Keychain, as well as both Apple and third-party apps. The claims appear to have been confirmed by Apple, Google and others.
We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps
The Register says the team reported the flaws to Apple in October of last year. At that time, Apple said that it understood the seriousness of the flaws and asked the researchers to give it six months to address them before the exploit was made public. In February, Apple requested an advance copy of the paper, yet the flaws remain present in the latest versions of both operating systems …
Researchers were able to upload malware exploiting the vulnerabilities to both iOS and Mac App Stores, despite Apple’s vetting. The compromised apps were approved for both platforms.
The team say that they tested the exploit against a wide range of both Mac and iOS apps, and found that almost 90% of them were “completely exposed,” allowing the malware full access to data stored in the apps – including logins.
AgileBits, developer of the popular 1Password app, said that it could see no way to protect against the exploit. Google’s Chromium security team said that it believed it would be impossible to protect against the attack at an application level, and responded by removing Keychain integration for Chrome.
Based on a video released by the team (below), a commentator on Hacker News appears to be correct in suggesting that while the malware cannot directly access existing Keychain entries, it can do so indirectly by forcing users to login manually and then capturing those credentials in a newly-created entry.
Keychain items have access control lists, where they can whitelist applications, usually only themselves. If my banking app creates a keychain item, malware will not have access. But malware can delete and recreate keychain items, and add both itself and the banking app to the ACL. Next time the banking app needs credentials, it will ask me to reenter them, and then store them in the keychain item created by the malware
For now, the best advice would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores – and to be alert to any occasion where you are asked to login manually when that login is usually done by Keychain.
The researchers say the seriousness of the vulnerabilities cannot be over-emphasised.
The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed. Such findings […] are just a tip of the iceberg.
As ever, the best practice is never to allow either your browser or a password manager to store your most sensitive logins, such as for online banking.
Check out additional videos over at The Register.
A separate Mac BIOS/EFI vulnerability revealed earlier this month would allow an attacker to take permanent control of a Mac even after reformatting the drive, while a bug in the iOS Mail app could allow convincing-looking phishing attacks.