Stories
Slash Boxes
Comments

SoylentNews is people

Serious OS X and iOS Flaws let Hackers Steal Keychain, 1Password Contents

posted by janrinok on Thursday June 18 2015, @05:52PM   Printer-friendly
from the we-need-to-get-this-right dept.

darkfeline writes in with an Ars Technica story:

Researchers have uncovered huge holes in the application sandboxes protecting Apple's OS X and iOS operating systems, a discovery that allows them to create apps that pilfer iCloud, Gmail, and banking passwords and can also siphon data from 1Password, Evernote, and other apps.

The malicious proof-of-concept apps were approved by the Apple Store, which requires all qualifying submissions to treat every other app as untrusted. Despite the supposed vetting by Apple engineers, the researchers' apps were able to bypass sandboxing protections that are supposed to prevent one app from accessing the credentials, contacts, and other resources belonging to another app. Like Linux, Android, Windows, and most other mainstream OSes, OS X and iOS strictly limit app access for the purpose of protecting them against malware. The success of the researchers' cross-app resource access—or XARA—attacks, raises troubling doubts about those assurances on the widely used Apple platforms.

"The consequences are dire," they wrote in a research paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS . "For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Serious OS X and iOS Flaws let Hackers Steal Keychain, 1Password Contents | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday June 18 2015, @06:00PM

    by Anonymous Coward on Thursday June 18 2015, @06:00PM (#197910)

    Wait what?? o_O

    (In reality it's hard to say which one is even more dangerous to your health, apple or google... best to stay away from both)

  • (Score: 2, Funny) by Anonymous Coward on Thursday June 18 2015, @06:26PM

    by Anonymous Coward on Thursday June 18 2015, @06:26PM (#197914)

    Are you advocating for Windows phones?

    • (Score: 1, Insightful) by Anonymous Coward on Thursday June 18 2015, @07:12PM

      by Anonymous Coward on Thursday June 18 2015, @07:12PM (#197933)

      Advocate for a dumb phone (or no phone even) and keep a notebook on hand for things to remember in the short term. Much more secure, can be completely destroyed with absolute certainty and fraudulant copies are going to be obvious.

    • (Score: 2) by Freeman on Thursday June 18 2015, @08:31PM

      by Freeman (732) on Thursday June 18 2015, @08:31PM (#197966) Journal

      I would switch to a landline, if that was my only choice.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"