Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X

[rhythmworx]

Keychains raided, sandboxes busted, passwords p0wned, but Apple silent for six months

Six university researchers have revealed deadly zero-day flaws in Apple's iOS and OS X, claiming it is possible to crack Apple's keychain, break app sandboxes, and bypass its App Store security checks.

Attackers can steal passwords from any installed app, including the native email client, without being detected, by exploiting these bugs.

The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts. That malware, when installed on a victim's device, raided the keychain to steal passwords for services including iCloud and the Mail app, and all those stored within Google Chrome.

Lead researcher Luyi Xing told El Reg he and his team complied with Apple's request to withhold publication of the research for six months, but had not heard back as of the time of writing.

They say the holes are still present in Apple's software, meaning their work will likely be consumed by attackers looking to weaponize the work.

Apple was not available for immediate comment.

The Indiana University boffins Xing; Xiaolong Bai; XiaoFeng Wang; and Kai Chen joined Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology, to develop the research, which is detailed in a paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS.

"Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register's security desk.

"Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.

"We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."

The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system's keychain data and secret iCloud tokens, and passwords from password vaults.

Read more here.... http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/

[momtaz]

Hard job for apple ...

[tominbkk]

Have to wait for them to open their research.

[hhgz]

Wow! If you read it on the internet, it must be true!

[IMHO]

It's an intresting topic...

From the videos it appears that it might only be possible if the malicious app actually creates the matching keychain entry before the genuine app does. Given the way keychain records are stored, that means any attack needs to be highly targeted - e.g. in the case of stored website/service passwords, it needs to predict the exact URL that a user is going to use. For popular websites, I guess that's pretty easy (FB, Twitter, GMail etc) - for other sites/services the attacker would need prior info on the victim, and as noted, possibly also might need to plant their code & keychain entries first- both of which make exploiting this a bit of a challenge.

What is also interesting is there's no way to hide the attack - from the Keychain console you can clearly see all keychain entries, and what apps have been granted access to them - if you're only using the AppStore to install apps (e.g. in a corp environment) there's practically no chance of a user inadvertently installing a masquerade app - for example, something named "Firefox" with the firefox app icon... but that's not Firefox. If you install apps from outside the app store, I guess you need to keep a good memory of what you did/didn't install, and you are probably also aware from all the warnings and admin password authorisations needed during installation / first launch that the apps might be insecure anyway. Sorry, false alarm - apps not digitally signed by Apple don't get access to Keychain.

On that note, Firefox for OSX does not use Keychain to store web passwords - so it is immune to this specific attack - that's not to say it's immune to all attacks though - it's still only software

Edited June 20, 2015 by IMHO