A group of security researchers have revealed zero-day vulnerabilities within iOS and OS X that allow an attacker to wreak havoc on Apple’s ecosystem.

The group, comprised of researchers from Indiana University, Peking University and Georgia Institute of Technology, recently published their findings in a paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS.

In it, they demonstrate how it’s possible to upload malware to the App Store and the Mac App Store by circumventing Apple’s vetting process. From there, the malware can also steal credentials from Apple’s password management system Keychain, from other installed apps and even from Google Chrome.

The team said it first notified Apple of the issue in October 2014; Apple asked for six months to fix the issue. In February, Apple staff asked for an advanced copy of their research paper. It’s now eight months later and the vulnerabilities still exist in the most recent versions of Apple’s software.

The researchers told The Register that Google’s Chromium security team removed keychain integration for Chrome, saying the issue likely couldn’t be rectified at the application level.

Just how big of a deal is this? According to the researchers, more than 88 percent of apps they tested were completely exposed to the attack.

As 9to5Mac notes, the best advice for now would be to exercise caution when downloading apps from unfamiliar developers.