Serious iOS, OS X flaws lead to password theft in wide ranging security study
Three serious vulnerabilities in cross-app resource sharing protocols on Apple's desktop and mobile platforms have been discovered and used successfully to steal data --?like passwords and secret authentication keys --?including one that lays Keychain open to attackers.
Discovered by a team of six researchers at Indiana University, Georgia Tech, and China's Peking University, the exploits rely on fundamental flaws in the implementation of Keychain's access control lists, OS X's app containers, and URL schemes that allow apps to call out to each other. Apple was notified of these vulnerabilities last October, the researchers told The Register, and then requested a six-month extension before the paper was made public, which was granted.
The vulnerability in Keychain stems from its inability to verify whether apps should be entitled to modify entries. Using the newly-discovered exploit, a malicious app can delete existing entries --?or create them before the legitimate app has a chance to --?and give both itself and the legitimate app access, reading the contents of the entry after the legitimate app has written to it.
A proof-of-concept video shows the team removing the Keychain entry for a local user's iCloud account, then creating a new one using a malicious app. After signing in to iCloud through System Preferences, the malicious app successfully retrieves the secret iCloud token stored in that entry. The same attack was used to retrieve passwords stored in Keychain by Google's Chrome browser, which will reportedly remove Keychain access until a fix is issued.
Another vulnerability exists in OS X's app containers, which are designed to keep Mac App Store apps from accessing data belonging to other apps without explicit permission to do so. Apple enforces this access control in part by giving each app a Bundle ID, the uniqueness of which is ensured by the Mac App Store.
The Mac App Store does not verify the uniqueness of Bundle IDs belonging to helper apps, however --?one example of a helper app is 1Password Mini, which is a separate app from 1Password but included in the same download. By creating a malicious helper app with the same Bundle ID as an existing app, malicious apps can gain access to the legitimate app's containers.
An additional flaw in URL Schemes allowed the researchers to hijack the URL schemes of other, legitimate apps and exfiltrate any data passed between them. In one example, their malicious app registered the fbauth:// scheme that iOS apps use for Facebook sign-in and was able to intercept the user's Facebook authentication token.
The flaws remain unfixed in the latest pre-release versions of OS X Yosemite, though they have not yet been tested against OS X El Capitan, which was announced last week. The team was also successful in getting proof of concept apps into the Mac and iOS App Stores, where the malware was not detected during the approval process.
It remains unclear how Apple plans to mitigate these threats going forward, as it would require significant architectural alterations to the way OS X and iOS interact with apps.
In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources, and be cognizant of any suspicious password prompts.
Discovered by a team of six researchers at Indiana University, Georgia Tech, and China's Peking University, the exploits rely on fundamental flaws in the implementation of Keychain's access control lists, OS X's app containers, and URL schemes that allow apps to call out to each other. Apple was notified of these vulnerabilities last October, the researchers told The Register, and then requested a six-month extension before the paper was made public, which was granted.
The vulnerability in Keychain stems from its inability to verify whether apps should be entitled to modify entries. Using the newly-discovered exploit, a malicious app can delete existing entries --?or create them before the legitimate app has a chance to --?and give both itself and the legitimate app access, reading the contents of the entry after the legitimate app has written to it.
A proof-of-concept video shows the team removing the Keychain entry for a local user's iCloud account, then creating a new one using a malicious app. After signing in to iCloud through System Preferences, the malicious app successfully retrieves the secret iCloud token stored in that entry. The same attack was used to retrieve passwords stored in Keychain by Google's Chrome browser, which will reportedly remove Keychain access until a fix is issued.
Another vulnerability exists in OS X's app containers, which are designed to keep Mac App Store apps from accessing data belonging to other apps without explicit permission to do so. Apple enforces this access control in part by giving each app a Bundle ID, the uniqueness of which is ensured by the Mac App Store.
The Mac App Store does not verify the uniqueness of Bundle IDs belonging to helper apps, however --?one example of a helper app is 1Password Mini, which is a separate app from 1Password but included in the same download. By creating a malicious helper app with the same Bundle ID as an existing app, malicious apps can gain access to the legitimate app's containers.
An additional flaw in URL Schemes allowed the researchers to hijack the URL schemes of other, legitimate apps and exfiltrate any data passed between them. In one example, their malicious app registered the fbauth:// scheme that iOS apps use for Facebook sign-in and was able to intercept the user's Facebook authentication token.
The flaws remain unfixed in the latest pre-release versions of OS X Yosemite, though they have not yet been tested against OS X El Capitan, which was announced last week. The team was also successful in getting proof of concept apps into the Mac and iOS App Stores, where the malware was not detected during the approval process.
It remains unclear how Apple plans to mitigate these threats going forward, as it would require significant architectural alterations to the way OS X and iOS interact with apps.
In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources, and be cognizant of any suspicious password prompts.
Comments
"Apple was notified of these vulnerabilities last October, the researchers told The Register, and then requested a six-month extension before the paper was made public, which was granted."
Yikes... Just, yikes.
It remains unclear how Apple plans to mitigate these threats going forward, as it would require significant architectural alterations to the way OS X and iOS interact with apps.
I presume this is why they asked for a six month extension on the release of information on the exploits. Hopefully they've incorporated the fixes for this into El Capitan. Somewhat disappointing to hear it's not resolved in the latest pre-release of Yosemite. Hopefully they'll fix it at least by the last point release for Yosemite (and possibly even patch earlier OS X releases).
Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.
At the same time, exploits like these really should get top priority. Asking for an extension to public release of the info is great, but then you really should get the damn things patched in that time. Hackers have had that much more time to potentially exploit them.
Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.
Yes, but Apple had 6 months to prepare the communication of their side of the story, so Apple is fully responsible. The worst communication about security issues is not to communicate, and sadly enough, Apple is the absolute king of the silence.
perhaps eric schmidt is right- android is more secure.
just kidding, i still feel safer.
This could have read, "If you see a prompt for a password and are not installing something, then don't.."
Which, umm.. is basically how it has always been. You literally have to give this exploit permission first before it can do anything.
Way overblown as it's not able to 'userp' EXISTING keychain passwords. AS THE TITLE IMPLIED! Only if it's creating a NEW keychain, and only by installing something with bad / malice code, would this work.
They should at least have got back to the researchers, one way or the other.
At the same time, exploits like these really should get top priority. Asking for an extension to public release of the info is great, but then you really should get the damn things patched in that time. Hackers have had that much more time to potentially exploit them.
Well now it's been 6 months and the Info has now been released. So while maybe this was hush, hush before, the Info is now out there in the wild for anyone and everyone to make use of.
Thanks for the report on this, AI. Someone has been changing, then re-changing, a lot of my passwords, sometimes minutes after I have changed them myself. This has caused my so much anguish. I've given up with iCloud, it causes so much stress.
Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.
Yep, the attitude seems to be that a snap of the finger fixes these things. The ‘other’ side of the story is that none of these recently announced nasty’s have gained any traction in the wild, no mass exploits reported. Could it be that these exploits are much harder than the security researchers imply? Many need physical access.
I also question the ethical logic used by researchers in giving companies like Apple six months to fix something before releasing it to the bad guys. This obviously endangers users. Maybe it’s hard to fix and will take more than six months. Why couldn’t the researchers keep in touch with the companies they examine to see if progress is being made? Why not allow additional time if progress is happening.
I’m not willing to damn Apple yet like some have already done. I don’t fantasize that Apple intentionally ignores these flaws or is lazy, or is incompetent. Sometimes a quick fix causes more problems elsewhere in the code. This appears to be a tough one to fix.
No comments on the Samsung keyboard flaw that leaves 600 million phones vulnerable?
Wow, it always astonishes me the amount of side-line know-it-all dipshits that stories like these attract to the comment boards!
You people instantly assign any and all blame for this on Apple, without even having a SHRED of knowledge about what might be involved in investigating, testing, and implementing a fix for a "fundamental" issue. These OS's run on millions of machines / devices, supporting hundreds of thousands of third-party applications and hardware. You think it's easy to change a fundamental aspect of a core security component in the OS, AND making sure that change doesn't break something??? You guys crack me up, and not in a good way!
Also, these researchers in their videos neglect to show us how they accomplished the required modification of the PLIST file, likely because it cannot be done due to access restrictions on OS X and iOS App Store apps. Yet you still jump on Apple for this like a basement Fandroid drooling over the next $0.99 cheap shit Android handset, pathetic.
Thanks for the report on this, AI. Someone has been changing, then re-changing, a lot of my passwords, sometimes minutes after I have changed them myself. This has caused my so much anguish. I've given up with iCloud, it causes so much stress.
You might want to enable 2-factor authentication, instead of lambasting cloud services. Oh, and perhaps use a complex password while you're at it, and not easy-to-guess ones like "123456qwer".
Maybe I'm naive but I have a really hard time believing if Apple knew about a serious exploit that needed an immediate fix they would sit on it for 6+ months and not do anything about it.
Thanks for the report on this, AI. Someone has been changing, then re-changing, a lot of my passwords, sometimes minutes after I have changed them myself. This has caused my so much anguish. I've given up with iCloud, it causes so much stress.
It’s almost a sure thing, guaranteed that this is NOT the cause of your issues.