Serious iPhone Security Flaw Could Allow Hackers to Steal All Your Passwords
No matter how many security precautions one doesn’t take, there’s still the risk of being hacked or having your information exposed to malevolent parties. The most recent event which comes to my mind is when Russian security firm Kaspersky Lab got hacked, a reputed maker of antivirus software. It seems that the hackers have gone as far as to steal certificates from Foxconn in order to redirect computer traffic.
So, if it can happen to a well-known security company whose job is to protect customers from all over the world, then this means we are exposed to the danger in any moment. Of course, this only means that tech companies need to beat the hackers at their own game and seriously improve their current protection technology. But until that happens, we have another fresh report which talks about a major security breach in Apple’s yard.
According to The Register, a group of six researchers from renowned universities have discovered that Apple’s iOS and OS X have significant zero-day security flaws. Their report is entitled “Unauthorized Cross-App Resource Access on MAC OS and iOS,” and can be accessed by anyone interested in learning more details regarding it. As a matter of fact, it seems that Apple has been aware of this problem for quite a few months, but it seems that it hasn’t found a fix yet.
If you are an Apple user, you are probably aware, or not, that all your confidential information passed through Apple’s iCloud Keychain service, the company’s password management system. These major vulnerabilities discovered in Apple’s desktop and mobile operating systems allow hackers to run malicious apps which could steal your passwords and thus gain access to your data. The researchers said the following:
We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps
According to their findings, it seems that Apple would have to make some serious architectural changes to OS X and iOS in order to fix these flaws. Have a look at the video from below which shows the Keychain vulnerability being exploited in Google Chrome browser on OS X.
As it turns out, a malicious app can break into your Keychain, but it can also bypass the App Store security checks and break app sandboxes, which is even more frightening, as it allows attackers to steal passwords from basically any installed app you might have. And I’m sure there are many out there who make payments from their banking accounts, not to mention the implications that this could have with Apple Pay, Apple’s own payment system.
The authors of the report managed to upload malware to Apple’s App Store without triggering any alerts that would signify that their app could steal passwords for services, such as Mail or iCloud. The flaws have been reported to Apple back in October 2014 and they haven’t been released for a period of six months, at Apple’s request. But the time has passed, and Apple is yet to come up with a response on this. Neglecting to do so in a timely manner is leaving hundreds of millions of users susceptible to a very serious security attack.