Researchers uncover major security flaws in iOS and OS X that allow for rampant password theft

Shawn Knight

Posts: 15,240   +192
Staff member

researchers major ios apple os x security flaw vulnerability flaw zero day exploit hack apple keychain keychain zero day hack zero day vulnerability

A group of security researchers have revealed zero-day vulnerabilities within iOS and OS X that allow an attacker to wreak havoc on Apple’s ecosystem.

The group, comprised of researchers from Indiana University, Peking University and Georgia Institute of Technology, recently published their findings in a paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS.

In it, they demonstrate how it’s possible to upload malware to the App Store and the Mac App Store by circumventing Apple’s vetting process. From there, the malware can also steal credentials from Apple’s password management system Keychain, from other installed apps and even from Google Chrome.

The team said it first notified Apple of the issue in October 2014; Apple asked for six months to fix the issue. In February, Apple staff asked for an advanced copy of their research paper. It’s now eight months later and the vulnerabilities still exist in the most recent versions of Apple’s software.

The researchers told The Register that Google’s Chromium security team removed keychain integration for Chrome, saying the issue likely couldn’t be rectified at the application level.

Just how big of a deal is this? According to the researchers, more than 88 percent of apps they tested were completely exposed to the attack.

As 9to5Mac notes, the best advice for now would be to exercise caution when downloading apps from unfamiliar developers.

Permalink to story.

 
Impossible. That kind of thing happens with all other operating systems, not Apples. Every iSheep knows that.

I know right... because... because...because there are no viruses for MAC and it's super dupper secure, I mean... come on.. really! this is a marketting scheme from Microsoft and Google! Screw them Gates is the devil!
 
This is NOT a zero day vulnerability, the phrase 'zero day' refers to how long the researchers give the company to fix the flaw before they go public with it - check the internet (that thing we are talking on) for more info. Please. In this same article you just said they gave Apple six months.
 
Typical iSheep... shifting the focus won't change the vulnerability severity.
 
Look, this is clearly a hoax Shawn is using to unsettle Apple users. Macs do not get viruses and they have no real security vulnerabilities. You can only get a virus or have info stolen if you give malicious code permission to do so. Don't believe me? Here's two quotes from the article:

"[...] they demonstrate how it’s possible to upload malware to the App Store and the Mac App Store by circumventing Apple’s vetting process."

"As 9to5Mac notes, the best advice for now would be to exercise caution when downloading apps from unfamiliar developers."

If you aren't smart enough to know how to use the App Store safely, it's your fault there's malware on your Mac.
 
Look, this is clearly a hoax Shawn is using to unsettle Apple users. Macs do not get viruses and they have no real security vulnerabilities. You can only get a virus or have info stolen if you give malicious code permission to do so. Don't believe me? Here's two quotes from the article:

"[...] they demonstrate how it’s possible to upload malware to the App Store and the Mac App Store by circumventing Apple’s vetting process."

"As 9to5Mac notes, the best advice for now would be to exercise caution when downloading apps from unfamiliar developers."

If you aren't smart enough to know how to use the App Store safely, it's your fault there's malware on your Mac.
So downloading an app from an app store that is supposed to be completely locked and only apps approved should by Apple should be there is not using it safely? Apple messed up, they caused a problem, this is their fault and it makes your iPhone unsafe. On top of that Apple messed up and did not even fix it in the time frame THEY ASKED FOR, they screwed up and like it or not this is a security vulnerability since an iPhone without the app store is pretty much useless.
 
So downloading an app from an app store that is supposed to be completely locked and only apps approved should by Apple should be there is not using it safely? Apple messed up, they caused a problem, this is their fault and it makes your iPhone unsafe. On top of that Apple messed up and did not even fix it in the time frame THEY ASKED FOR, they screwed up and like it or not this is a security vulnerability since an iPhone without the app store is pretty much useless.

:cool:
 
Look, this is clearly a hoax Shawn is using to unsettle Apple users. Macs do not get viruses and they have no real security vulnerabilities. You can only get a virus or have info stolen if you give malicious code permission to do so. Don't believe me? Here's two quotes from the article:

"[...] they demonstrate how it’s possible to upload malware to the App Store and the Mac App Store by circumventing Apple’s vetting process."

"As 9to5Mac notes, the best advice for now would be to exercise caution when downloading apps from unfamiliar developers."

If you aren't smart enough to know how to use the App Store safely, it's your fault there's malware on your Mac.

You do realize it's pretty much the same with every system existant to date... right? :p
 
Back