A team of researchers from Indiana University, Peking University, and the Georgia Institute of Technology have published a paper that divulges several zero-day flaws within OS X and iOS, according to a recent report from The Register. These flaws, the researchers state, make it possible to crack Apple’s keychain and break app sandboxes. They also allow attackers to bypass the App Store security checks. Ultimately, the exploits would allow attackers to steal passwords from any installed app, including Mail, without being detected.
The team succeeded in uploading malware to Apple’s App Store, passing the review process without a problem with a program that is able to retrieve passwords from the keychain for services including iCloud, Mail, and all of those stored within Google Chrome. The exploits are still present within OS X and iOS, the researchers claim, which means the paper will likely be used by attackers to create their own brands of Mac and iOS malware.
Lead researcher Lui Xing said that he and his team notified Apple of the security flaws in October 2014, and complied with Apple’s request to give the company six months to address the exploits. In February, Cupertino requested an advance copy of the paper, but the flaws remain present in the latest shipping versions of both operating systems.
Using the exploits, the team were able to retrieve banking details from Google Chrome on the latest OS X 10.10.3. They were also able to steal the system’s keychain and secret iCloud tokens, while stealing passwords from secure vaults. The team also succeeded in stealing photos from WeChat and compromising Evernote.
As disturbing as it is that the team of researchers was able to so readily assault OS X and iOS using software that passed Apple’s app review process, what is more troubling is the fact that Cupertino has known of the vulnerabilities since October and failed to act on them. Hopefully, the software engineers at Apple will patch these holes quickly, before they are able to be exploited by those wishing to actually steal personal data.