Apple users are facing serious zero-days that could lay open all of their app credentials to attackers, on both Macs and iPhone/iPads.
A group of researchers from Indiana University say that they’ve found a string of vulnerabilities in OS X and iOS that, if combined, would allow an attacker to run amok on a device’s apps, stealing iCloud passwords, authentication tokens, saved web passwords on Google Chrome and more.
The flaws allow a bypass of app sandboxes and App Store security checks too: The researchers passed the vetting process to get a proof-of-concept malware approved without any alarms, that can pilfer a user’s, well, everything.
The researchers dubbed the issue “unauthorized cross-app resource access,” or XARA, but others have taken to calling it Apple Cored. Because the issue is at the heart of the OS.
It all comes down to a bad access-control list (ACL) implementation in the inter-app interaction engine, which Apple calls Keychain (companion issues also exist in WebSocket on OS X, and URL Scheme on OS X and iOS). Keychain manages how apps talk to each other. This includes storing credentials and making them available between apps.
In the PoC, the researchers’ malicious app was used to reconfigure how Keychain does its job. By rewriting Keychain to allow itself access to the credentials used by other apps on a given device, it was able to compromise Dropbox, Facebook and Evernote on a Mac, along with the messaging app WeChat, and vaulted passwords from 1Password.
“Looking into the root cause of those security flaws, we found that in the most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with,” the researchers explained in the paper. “Fundamentally, the problem comes from the challenge for an app to authenticate the owner of an existing Keychain item. Apple does not offer a convenient way to do so.”