Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security IOS OS X Apple

Researchers Find Major Keychain Vulnerability in iOS and OS X 78

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.
This discussion has been archived. No new comments can be posted.

Researchers Find Major Keychain Vulnerability in iOS and OS X

Comments Filter:
  • by Anonymous Coward

    - "This could happen on Android, Windows and Linux, not just on Apple!"

    - "It's only theoretical. It cannot happen in practice."

    - "This is not how it works. It's because you don't know how to use your Mac/iPhone.."

  • To be fair I don't even use the keychain for anything other than wifi network passwords.
    • Re: (Score:3, Interesting)

      Take a look in your KeyChain to see what else it stores that you may not even know about. Logins for websites, for example.

      • Re: (Score:2, Insightful)

        by DanJ_UK ( 980165 ) *
        I never store any passwords, card details, I don't use autocomplete etc, my keychain is very, very empty.

        Apart from the 6 dozen wifi networks my laptop has connected to.

        Safest place for any password is in your head, I even know all my cards off the top of my head.
        • Safest place for any password is in your head

          Yeah when you're recuperating from a broken leg and you're all laced up with pain killers, you need to order stuff online because you can't get out, and you can't remember your password. How awesome is that?

          • That sounds like a perfect "edge case". It's incredible, though, the amount of people that heavily rely on auto-saved stuff.

            • by DanJ_UK ( 980165 ) *
              I find it quicker to type out an address or any form while tabbing through it than correcting an autocomplete tool that got it wrong or missed a field, guess it depends how quick you type.
        • by raque ( 457836 )

          Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

          • by mjwx ( 966435 )

            Either your passwords are weak, or you're really smart. That doesn't help me. I have just too many passwords to manage. Firefox stores it's passwords separately, but I don't know how much that helps. The truth is you have to trust the machine and the people who make it. Yea, I know that sux.

            Most, if not all of my passwords are 5 characters.

            I simply take a four letter word like "farm" and a number and capitalise the first letter so it becomes "Farm4". Then I simply multiply that to meet complexity requirements and add a special character corresponding to the number if need be so it becomes something like "Farm4farm4", "Farm4$farm4$" or "Farm4farm4farm4farm4farm4" but all I need to remember is "Farm4" and how many times it is duplicated.

            The problem with most people is that they trust expli

      • by Anonymous Coward

        Keychain keeps your email passwords. Based on that the hacker can have access to your entire web accounts: financial, shoppings, social media, etc. This reminds me to turn off iMessage's access to phone text messages to at least keep the sms secure from same attack vector. Most financial accounts has two factor verification.

    • Re:No Keychain (Score:5, Informative)

      by Anubis IV ( 1279820 ) on Wednesday June 17, 2015 @11:49AM (#49929733)

      It's not just the built-in Keychain that's compromised. They've also managed to use these attacks to snoop on inter-process communication when they shouldn't be able to, such as that between the 1Password Mini extension that runs in the browser and the 1Password app that's responsible for the encrypted vault with all of a user's passwords. By doing so at the right time, they can capture any information exchanged between the two.

      Of course, there are easier ways to capture that particular data, such as simply making a malicious browser extension that captures usernames and passwords. You could likely get better distribution by doing so, not to mention avoiding any scrutiny that might come from the review process for the Mac App Store or iOS App Store.

      Even so, the fact that this is possible opens up a whole variety of attacks, many of which can compromise more significant amounts of data. For instance, they demonstrated an attack on Evernote that compromises all of the user's notes. Many people keep way too much sensitive information in Evernote, and an attack like this could really burn them.

      • by Anonymous Coward
        In the paper it's pointed out that the 1Password exploit is possible because it's using a local WebSocket and the main app doesn't validate that the process talking to it is actually the Mini extension. The paper points out that it would be ideal if Apple provided an API to do this sort of validation the application developer could implement their own solution.

        The built-in keychain issue is that on the Mac each item's access is controlled by a ACL. Another app with a forged bundle ID (com.appdev.foo) co
    • Re: (Score:2, Informative)

      I don't even use the keychain for anything other than wifi network passwords.

      I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

      • by DanJ_UK ( 980165 ) *
        discussion (d-skshn)
        n.
        1. 1. Consideration of a subject by a group; an earnest conversation.
        2. 2. A formal discourse on a topic; an exposition.
      • I don't even use the keychain for anything other than wifi network passwords.

        I don't use iOS at all, but I didn't see the point in posting just to tell everyone this.

        And yet you still did...

  • "these problems are caused by the lack of app-to-app and app-to-OS authentications"

  • So that's how that hacker 4chan did it! /s
  • by berj ( 754323 ) on Wednesday June 17, 2015 @11:29AM (#49929571)

    It looks like the attacking app needs to be run before the attacked apps have had a chance to put their own entries in keychain.

    From their videos they run their "malware" first, setup an empty keychain entry for whatever it is they'd like the password for (eg. iCloud or facebook through chrome). Then they run the app in question which fills in the password into the earlier created keychain entry. Since the malware is the one who created the keychain entry, it has access to the password.

    Definitely a vulnerability. But the attack window seems smallish. But, of course, that varies with a user's activities. If they setup their icloud when they installed (or first logged in) or before they did anything else then it looks like the malware can't do anything. But it still leaves a pretty big window.

    I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it". Non-trivial changes, I'm sure.

    Definitely an ugly one.

    • by Anonymous Coward

      I'm guessing that the "fix" would be for there to be no way to share passwords among apps.. or for an app to be allowed to specify that "this password is for me and me alone.. nobody else can have access to it".

      Already there. The glossary for the documentation on Apple's site (at https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/glossary/glossary.html) has the following:

      access control list (ACL)

      A structure containing information describing what must happen (display a confirmation dialog, ask for a password, and so forth) in order to permit a specific operation to occur. An ACL may also contain a list of applications that are always trusted to perform that operation. Each keychain item has one or more associated ACLs, and each ACL applies to a single operation that can be done with that item, such as encrypting or decrypting it. See also access object.

    • by SQLGuru ( 980662 )

      Easy enough to spam the keychain with any of the "interesting" options.....if it's already there and fails, skip it, otherwise, the malware is prepped for a value getting added in the "YourBank" entry to whatever else.

    • Not only that, but apps can detect that happening and remove access from the malware before they save a password. The point is that most vendors don't bother looking at the access control list for keychain items. This is discussed in the developer docs for Keychain Access Controls.

    • Not quite. The attack is easily extensible so that the attackers can "run before" the target app at any time by simply deleting the keychain entry and recreating it with a new ACL that permits the target app and themselves access to the entry. From the user's perspective, they see an unexplained repeat prompt to enter their password which they'll gladly do and from there on, the attackers have access to the password.

      These security holes are quite awful.

  • Should Edward Snowden Trust Apple To Do the Right Thing?

    http://yro.slashdot.org/story/... [slashdot.org]

    What do you think?

    Researchers Find Major Keychain Vulnerability in iOS and OS X

    http://it.slashdot.org/story/1... [slashdot.org]

  • Why would "researchers" even bother? Apple is just going to sue them and cover it up. Don't they read tech headlines?
  • whether companies don't hold back on fixes to these reported bugs as a concession to governments... could companies offering private services like iMessage patch some holes, while serving up others to the spooks with the understanding they have a limited time-frame to work, in exchange for generally being left alone?

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington

Working...