Critical Zero-day Security Flaws in iOS and OS X – Apple Silent for 6 Months
Researchers have revealed critical zero-day security holes in both the Apple's iOS and OS X operating systems. These Apple zero-day flaws, according to six researchers, allow a malicious app to steal passwords from Apple's Keychain, bypass App Store security to enable attackers steal passwords from any installed app including Apple's native apps - without even being detected.
Apple zero-day flaws - Why is Apple silent?
Indiana University and Georgia Institute of Technology had discovered these critical Apple zero-day flaws some months back in October last year and after waiting for over 6 months for Cupertino's tech giant to patch things up, research team has published the details of the research. According to the research team, Apple said that it understood the critical nature of flaws and also requested an advance copy of the research back in February. However, it claims that the Apple zero-day flaws in iOS and OS X are still present in the very latest versions of the Apple platforms.
"Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.
Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store."
The team was able to,
- crack the keychain service that is used to store passwords and other sensitive credentials for Apple apps
- sandbox containers on OS X
- discover weaknesses within the inter-app communication mechanism on iOS and OS X
- used those weaknesses to steal confidential data
They managed to steal this data from a variety of apps including Facebook, Evernote, photos from WeChat, and other such "high-profile" apps. This research team was also able to get banking credentials from Google Chrome on the very latest OS X 10.10.3 using a sandboxed app to steal keychain and iCloud tokens.
According to the Register, Google was more responsive to the security loophole as Chromium security team removed Keynote integration for Chrome. It also noted that the security issue could "not be solved at the application level."
As quite apparent, the results of such critical zero-day security loopholes would be no less than a disaster for users,
The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed.
What to do right now?
Everyone should start pushing Apple for releasing fixes to these Apple zero-day flaws in OS X and iOS. It is very odd of Apple to not have heeded to this research team and send patches before the paper was published.
The best thing you could do right now is to stop storing your passwords in any browsers or password managers like Keychain.