Researchers Find Major Keychain Vulnerability in iOS and OS X

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

Re:

[arglebargle_xiv]

You should try my Appchain app. It apps all your apps into one app. It even apps its own app into the app.

Yeah, but does it tech the tech? Everyone knows you need to be able to tech the tech to the warp drive to fix serious problems.

Re:

[Anonymous Coward]

Gloating over something like that would be pretty weird. Some people can't just enjoy their toys without pretending to be better than people who choose other toys.

Re:

[Anonymous Coward]

Because some people think that their choice of phone says something about themselves, frankly choosing between the iPhone and a Galaxy is just having an F150 or a Silverado, its the exact same thing that millions of other people have. Much like the iPad/GalaxyTab/Surface, that product that diehards camp on the street for, covet in the corner of the coffee shop and define themselves by is the exact same product that brickies throw around on the jobsite, 12 years olds get in mass handouts at their schools and

Re:

[Jeremy Erwin]

In America, author uses analogy; In Soviet Russia, analogy uses author.

Yes, the F150 is popular. Yes, the iPad is popular. But the analogy ends there.

Re:

[exomondo]

Yes, the F150 is popular. Yes, the iPad is popular. But the analogy ends there.

Kind of, but he's right: They are the most common, defacto choice because they are a good workhorse tool for the job. The Android world is full of choice - which can be a good thing - but if you aren't really fussed with that then you just get whatever everybody else has, which is an iPhone - it might be boring to do that but in that circumstance it's the logical thing to do...that's certainly what I did.

Re:That's Apple

[captnjohnny1618]

Perhaps it's a non-trivial flaw in how they've implemented things and it's going to require nothing short of an overhaul. Six months is nothing to fully implement, test and roll out a fix. I write a software package used in house at a company I work for and it can take weeks to find, fix and test even minor bugs. Just sayin'. You also want to be sure to not introduce new bullshit in your fix. Rush it and you're much more likely to do so and that'll look even worse on such a critical system like this one.

Granted, asking a researcher to not publish results is pretty lame. People have a right to know if they're vulnerable or not.

Re:

[Anonymous Coward]

There is also regression testing. Done wrong, there are a lot of subsystems that will wind up broken.

I do agree that asking not to public results is lame, but I respect the researcher in heeding that, as KeyChain is a security critical element. I also understand that just hinting at a point of a vulnerability will get people going through things with a fine-toothed comb to find it.

So far, Apple seems to be doing OK when it comes to security. Even jailbreaks are history these days.

Re:That's Apple

[AmiMoJo]

Maybe it is non-trivial to fix, but the lack of communication with the original author isn't good. Also, if something is going to take that long to fix the only reasonable thing to do is to publish an advisory so people can defend themselves. If this researcher found it, others can find it. If the only mitigation is to stop using the product, then you have to be honest and say that.

Re:

[captnjohnny1618]

Agreed. Or at the very least, make statement/advisory now that the paper has been published and supposedly the software exploit is alive and well in the App store(s).

Re:

[sudon't]

What they're complaining about is that they never heard back from Apple at the end of the six months. I'm sure that if Apple rang them up and said, "Hey, we're still working on a fix", that they'd have been willing to continue withholding publication. No mention of whether the researchers tried to contact Apple again at that time.

It's much better practice to allow a company to close a hole, than to inform users, who, in most instances, could do fuck all with that knowledge, anyway. On the other hand, there

Re:

[TheP4st]

users, who, in most instances, could do fuck all with that knowledge, anyway.

It is not that bloody hard to switch to another platform in the case of an OS flaw, or hardware vendor in the case of something like the Samsung keyboard hack. A hassle? Yes. But certainly not a case where a user "could do fuck all" at least now iOS and Samsung users can make an informed decision whether to take the risk of sticking with their device or move elsewhere.

On the other hand, there are other people who could make use of that knowledge, and that's who you want to keep in the dark

Which is why responsible researchers wait for a reasonable time before releasing their findings to the public, in this case they waited the 6

Re:

[TheP4st]

Wow nice way of ignoring the second part of my post where I write that Apple were informed by the researchers 6 months ago. so at a minimum this is how long they have been aware of it but left it unpatched since then. And when Apple were informed they asked the researchers to wait 6 months before going public, which they did! Ignoring an issue doesn't make it go away.
And seriously. How many of the apps you bought do you actually need? My bet, not as many you might believe

Re:

[znrt]

Six months is nothing to fully implement, test and roll out a fix.

if i got this right, the unauthorized cross-app resource access is a design flaw in the way different apps are allowed to interact. the apps are already out there. there is no fix unless you are willing to fix all affected apps as well, or break them.

this is a very serious issue and apple's silence and inaction is truly astonishing. at least some mitigation patch would be in place, asking the user's permission whenever any such interactions are about to happen.

Re:

[null etc.]

In 2009, I alerted Apple to a major security flaw in their dev portal, in which anyone with an account could lock out admin access of any other account in the portal. I called their support hotline, and got a cocky rep from Ireland who assured me that no, such a thing was not possible, and that my understanding of the situation must be incorrect.

I wonder if they've ever fixed that issue, especially when they took the dev portal offline for a few months to fix other glaring security issues.

Re:

[FranTaylor]

such as disallowing modification of system files regardless of an application's permission level.

So buggy insecure code somehow becomes secure if you can't modify it?

Re: That's Apple

[scum-e-bag]

Not being able to change libstdc++ may have its advantages.

Apple fans: Circle the wagons!

[Anonymous Coward]

- "This could happen on Android, Windows and Linux, not just on Apple!"

- "It's only theoretical. It cannot happen in practice."

- "This is not how it works. It's because you don't know how to use your Mac/iPhone.."

Re:

[pdclarry]

- "This could happen on Android, Windows and Linux, not just on Apple!"

-

Um, It HAS happened on Android also: Critical flaws in Apple & Samsung Devices [krebsonsecurity.com]

No Keychain

[DanJ_UK]

To be fair I don't even use the keychain for anything other than wifi network passwords.

Re:

[michelcolman]

Take a look in your KeyChain to see what else it stores that you may not even know about. Logins for websites, for example.

Re:

[DanJ_UK]

I never store any passwords, card details, I don't use autocomplete etc, my keychain is very, very empty.

Apart from the 6 dozen wifi networks my laptop has connected to.

Safest place for any password is in your head, I even know all my cards off the top of my head.

Re:

[FranTaylor]

Safest place for any password is in your head

Yeah when you're recuperating from a broken leg and you're all laced up with pain killers, you need to order stuff online because you can't get out, and you can't remember your password. How awesome is that?

Re:

[DanJ_UK]

Hardly, all my passwords have uppercase, lowercase characters, numbers and special characters.

I sometimes forget one and have to reset it via email, but my email and apple ID passwords are some of the strongest of all of them.

For one off accounts or sites I don't give a shit about I tend to choose trivial passwords, ironically they're usually the ones I forget.

Re:

[snookiex]

That sounds like a perfect "edge case". It's incredible, though, the amount of people that heavily rely on auto-saved stuff.

Re:

[DanJ_UK]

I find it quicker to type out an address or any form while tabbing through it than correcting an autocomplete tool that got it wrong or missed a field, guess it depends how quick you type.

Re:

[raque]

Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

Re:

[mjwx]

Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

Most, if not all of my passwords are 5 characters.

I simply take a four letter word like "farm" and a number and capitalise the first letter so it becomes "Farm4". Then I simply multiply that to meet complexity requirements and add a special character corresponding to the number if need be so it becomes something like "Farm4farm4", "Farm4$farm4$" or "Farm4farm4farm4farm4farm4" but all I need to remember is "Farm4" and how many times it is duplicated.

The problem with most people is that they trust expli

Email

[Anonymous Coward]

Keychain keeps your email passwords. Based on that the hacker can have access to your entire web accounts: financial, shoppings, social media, etc. This reminds me to turn off iMessage's access to phone text messages to at least keep the sms secure from same attack vector. Most financial accounts has two factor verification.

Re:

[FranTaylor]

No, it does not keep your email passwords if you don't use OSX to read your email.

Re:No Keychain

[Anubis IV]

It's not just the built-in Keychain that's compromised. They've also managed to use these attacks to snoop on inter-process communication when they shouldn't be able to, such as that between the 1Password Mini extension that runs in the browser and the 1Password app that's responsible for the encrypted vault with all of a user's passwords. By doing so at the right time, they can capture any information exchanged between the two.

Of course, there are easier ways to capture that particular data, such as simply making a malicious browser extension that captures usernames and passwords. You could likely get better distribution by doing so, not to mention avoiding any scrutiny that might come from the review process for the Mac App Store or iOS App Store.

Even so, the fact that this is possible opens up a whole variety of attacks, many of which can compromise more significant amounts of data. For instance, they demonstrated an attack on Evernote that compromises all of the user's notes. Many people keep way too much sensitive information in Evernote, and an attack like this could really burn them.

Re:

[Anonymous Coward]

In the paper it's pointed out that the 1Password exploit is possible because it's using a local WebSocket and the main app doesn't validate that the process talking to it is actually the Mini extension. The paper points out that it would be ideal if Apple provided an API to do this sort of validation the application developer could implement their own solution.

The built-in keychain issue is that on the Mac each item's access is controlled by a ACL. Another app with a forged bundle ID (com.appdev.foo) co

Re:

[wonkey_monkey]

I don't even use the keychain for anything other than wifi network passwords.

I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

Re:

[DanJ_UK]

discussion (d-skshn)
n.

1. 1. Consideration of a subject by a group; an earnest conversation.
2. 2. A formal discourse on a topic; an exposition.

Re:

[XxtraLarGe]

I don't even use the keychain for anything other than wifi network passwords.

I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

And yet you still did...

And they mocked windows for IAC ruthlessly... oh..

[Anonymous Coward]

"these problems are caused by the lack of app-to-app and app-to-OS authentications"

Re: Nesil Hosting

[DanJ_UK]

...and slashdot with all its tweaks couldn't implement a decent captcha. gg

Hacks

[BobSwi]

So that's how that hacker 4chan did it! /s

Order of operations is important

[berj]

It looks like the attacking app needs to be run before the attacked apps have had a chance to put their own entries in keychain.

From their videos they run their "malware" first, setup an empty keychain entry for whatever it is they'd like the password for (eg. iCloud or facebook through chrome). Then they run the app in question which fills in the password into the earlier created keychain entry. Since the malware is the one who created the keychain entry, it has access to the password.

Definitely a vulnerability. But the attack window seems smallish. But, of course, that varies with a user's activities. If they setup their icloud when they installed (or first logged in) or before they did anything else then it looks like the malware can't do anything. But it still leaves a pretty big window.

I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it". Non-trivial changes, I'm sure.

Definitely an ugly one.

Re:

[Anonymous Coward]

I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it".

Already there. The glossary for the documentation on Apple's site (at https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/glossary/glossary.html) has the following:

access control list (ACL)

A structure containing information describing what must happen (display a confirmation dialog, ask for a password, and so forth) in order to permit a specific operation to occur. An ACL may also contain a list of applications that are always trusted to perform that operation. Each keychain item has one or more associated ACLs, and each ACL applies to a single operation that can be done with that item, such as encrypting or decrypting it. See also access object.

Re:

[SQLGuru]

Easy enough to spam the keychain with any of the "interesting" options.....if it's already there and fails, skip it, otherwise, the malware is prepped for a value getting added in the "YourBank" entry to whatever else.

Re:

[FellowConspirator]

Not only that, but apps can detect that happening and remove access from the malware before they save a password. The point is that most vendors don't bother looking at the access control list for keychain items. This is discussed in the developer docs for Keychain Access Controls.

Re:

[Coward Anonymous]

Not quite. The attack is easily extensible so that the attackers can "run before" the target app at any time by simply deleting the keychain entry and recreating it with a new ACL that permits the target app and themselves access to the entry. From the user's perspective, they see an unexplained repeat prompt to enter their password which they'll gladly do and from there on, the attackers have access to the password.

These security holes are quite awful.

Every week now

[koan]

Should Edward Snowden Trust Apple To Do the Right Thing?

http://yro.slashdot.org/story/... [slashdot.org]

What do you think?

Researchers Find Major Keychain Vulnerability in iOS and OS X

http://it.slashdot.org/story/1... [slashdot.org]

Re:

[captnjohnny1618]

... Or a porn about a character named Evernote.

Re:

[captnjohnny1618]

"The secret token of Evernote" would be a great RPG title.

... or a porn about a character named Evernote. (sorry about the repost, forgot to quote the parent in the original.)

"researchers?"

[slashmydots]

Why would "researchers" even bother? Apple is just going to sue them and cover it up. Don't they read tech headlines?

The cynic/conspiracy theorist in me wonders...

[lyran74]

whether companies don't hold back on fixes to these reported bugs as a concession to governments... could companies offering private services like iMessage patch some holes, while serving up others to the spooks with the understanding they have a limited time-frame to work, in exchange for generally being left alone?