Apple iOS and OS X flaws leave passwords vulnerable

A vulnerability found in Apple’s iOS and OS X devices could allow hackers to upload malware and steal passwords for services including Mail and iCloud, reports The Register.

The discovery was made by six researchers at Indiana University, Peking University and the Georgia Institute of Technology, whose academic paper (view PDF) revealed a flaw that could allow malicious apps to gain unauthorized access to the data stored by other apps.

The researchers first had to bypass Apple’s vetting process to get their apps published on the app store, after which they were able to crack Apple’s password-storing keychain, break app sandboxes and then steal confidential information from a number of high-profile apps and websites.  According to the report, more than 88 percent of apps were “completely exposed” to the attack.

“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps,” lead researcher Luyi Xing told The Register.

Krebs on Security writes that the team was also able to raid banking credentials through Google Chrome, using a sandboxed app to steal the system’s keychain, iCloud tokens and passwords from password vaults.

According to The Register, Apple was first warned of the vulnerability in February 2015, which asked the researchers to hold off disclosure for six months. Apple device owners are advised to be extra cautious when downloading apps, even from the official iOS and Mac app stores.

Meanwhile, Samsung also discovered a major security flaw this week, with updates to its SwiftKey keyboard app potentially allowing malicious files to be sent to the device via a man-in-the-middle attack. As many as 600 million Samsung Galaxy phones could be vulnerable.

Photo: Bloomua /

Author Kyle Ellison, ESET

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s