Serious iOS, OS X flaws lead to password theft in wide ranging security study

13

Comments

  • Reply 41 of 70
    asdasdasdasd Posts: 5,686member
    mario wrote: »

    Actually, that is not how it works. True it can not steal existing passwords, but it can erase the existing password for another application, re-create the entry with empty password, entry that it now has permission to read. Now when you start that other application that had previously saved password, it will prompt you for password since the value is now empty. If you re-type the password, both application you are running and the malicious application have access to it.

    For example, let's say you use Safari to access your bank site. You save the password for the bank in your keychain. You now install malicious application that when run deletes Safari's keychain and creates new Safari keychain entry that both it and Safari can read.

    You now start Safari and go to your bank site. Normally password would be read form keychain and filled in the form, but since rouge app deleted the entry there is no password, so you must re-enter it on the form. Safari now saves the password in the keychain, but rouge application now has access to it as well.

    This is much more subtle and harder to detect. You need to remember that you had already entered the password for your bank before and that Safari not filling bank website password is strange!! With how many users will that trigger suspicion?

    Wow. That's a fairly big exploit.

    The URL schemes are inherently unsafe so if Facebook is passing the access token then it can be read. They are fixing this in iOS 9, not sure about 10.11.

    The helper app seems odd as I thought you had to codesign all the bundles.

    These are hard to fix without a large overhaul.
  • Reply 42 of 70
    gatorguygatorguy Posts: 23,423member
    Yup. Posted yesterday and yet many tech sites aren't reporting it, but have already reported this Apple story.

    Samsung has known since Dec 2014 and only released a patch in early 2015. Which STILL hasn't hit most devices because the carriers are so damned slow. They tried it on brand-new Galaxy S6 devices and the flaw was still present.
    Nothing that Samung offers or exposes could have anywhere near the impact of Apple. Thus Apple gets more attention. When it's good news its more widely reported and more quickly announced all over tech blogs than any other company's news. Of course when it's not so0 good it gets reportedly fast too. Comes with being the big dog with the greatest influence.

    With that out of the way the Samsung story was pretty widely reported yesterday, making it to several Android blogs, Forbes, ComputerWorld, IBTimes, ZDNet, etc. That you didn't notice is evidence of what I mentioned earlier being true. Samsung or IBM or Intel or whoever news isn't as important as Apple news.
  • Reply 43 of 70
    philboogiephilboogie Posts: 7,674member
    boriscleto wrote: »
    No comments on the Samsung keyboard flaw that leaves 600 million phones vulnerable?

    Wow.

    Security firm NowSecure said a bug in the pre-installed Swift keyboard software installed on more than 600 million Samsung devices could allow a hacker “execute code as a privileged user” to gain access to the device and the user’s network.

    If the flaw in the keyboard is exploited, the attacker could access the phone’s GPS, camera, microphone, install malicious apps, eavesdrop on calls, and access photos and messages. The keyboard cannot be disabled or uninstalled. Even when it’s not being used, the security flaw can still be exploited.

    The list of devices includes the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini. Verizon, AT&T, Sprint, and T-Mobile customers are all impacted.
  • Reply 44 of 70
    ipenipen Posts: 410member
    Quote:

    Originally Posted by Rogifan View Post



    Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.

     

    What's Apple side of story?  I'm searching on the web but  couldn't find any story related to this from Apple.  Do you have a link?  It'll be really helpful to hear Apple side of story.  If it's not Apple's fault and it's already got patched, i really want to know.

  • Reply 45 of 70
    dasanman69dasanman69 Posts: 13,002member
    boriscleto wrote: »
    No comments on the Samsung keyboard flaw that leaves 600 million phones vulnerable?

    Because this is an Apple site.
  • Reply 46 of 70
    freerangefreerange Posts: 1,595member
    Anyone that saves their bank password in their keychain is an idiot, but point well taken.
  • Reply 47 of 70
    vmarksvmarks Posts: 760editor
    Quote:

    Originally Posted by MagMan1979 View Post

     



    You might want to enable 2-factor authentication, instead of lambasting cloud services. Oh, and perhaps use a complex password while you're at it, and not easy-to-guess ones like "123456qwer".




    Please stop giving out my password.

     

    8-)

  • Reply 48 of 70
    vmarksvmarks Posts: 760editor
    Quote:

    Originally Posted by FreeRange View Post



    Anyone that saves their bank password in their keychain is an idiot, but point well taken.



    Interesting. Apple says they have a keychain and will make it conveniently available for use on your Mac and Safari, and that it's secure, and you say people that trust Apple to secure it are idiots?

     

    I don't, but I can certainly understand why people would.

  • Reply 49 of 70
    trubadortrubador Posts: 80member
    Quote:


    My Keychain they can have, but please, do not let this result in the posting of nude celeb selfies! 


    Depends on the celebrity. ;-)

  • Reply 50 of 70
    peteopeteo Posts: 402member
    Quote:
    Originally Posted by Adrayven View Post

    So



    This could have read, "If you see a prompt for a password and are not installing something, then don't.."



    Which, umm.. is basically how it has always been. You literally have to give this exploit permission first before it can do anything.



    Way overblown as it's not able to 'userp' EXISTING keychain passwords. AS THE TITLE IMPLIED! Only if it's creating a NEW keychain, and only by installing something with bad / malice code, would this work.



    Another sensationalist click'n bait article.. bah..

     

    Heres a video of th expliot and
    Should make it easier to understand
  • Reply 51 of 70
    gatorguygatorguy Posts: 23,423member
    philboogie wrote: »
    Wow.

    Security firm NowSecure said a bug in the pre-installed Swift keyboard software installed on more than 600 million Samsung devices could allow a hacker “execute code as a privileged user” to gain access to the device and the user’s network.

    If the flaw in the keyboard is exploited, the attacker could access the phone’s GPS, camera, microphone, install malicious apps, eavesdrop on calls, and access photos and messages. The keyboard cannot be disabled or uninstalled. Even when it’s not being used, the security flaw can still be exploited.

    The list of devices includes the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini. Verizon, AT&T, Sprint, and T-Mobile customers are all impacted.
    Well I learned me sumpin' today. :D

    I had no idea Samsung could do direct security updates to their phones, bypassing the carriers. I suppose it's along the lines of what Google is doing with some Android security features and direct updates?

    "The update will come by way of the security policy update mechanism in Samsung Knox and not with a full system update, samsung said in its statement. (And that begs the question why that wasn't done in the first place, if indeed we'd been waiting on U.S. operators to push out a fix.)

    Here's what's up. In a statement given to Android Central, Samsung says:

    Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward."

    The crux of the issue came from the way the language packs in Samsung's keyboard are updated. (The language packs are part of the SwiftKey SDK, but the retail version of the SwiftKey keyboard wasn't involved in any of this in any way.) If your phone was connected to an unsecure access point and an attacker was able to catch you at the moment your phone was updating the language pack, they'd be able to replace the update payload with something nefarious. That would require a lot of things to line up at once, of course. But while the exploit is obscure, it's still real and needs to be fixed."

    So color me surprised. I'm with Android Central. If Samsung could do this before why haven't they??
  • Reply 52 of 70
    macplusplusmacplusplus Posts: 2,098member

    You can grant access to several applications on your Keychain items.

     

    1) Double click a Keychain item you want to extend its access to new applications.

    2) When the item window opens, click the button Access Control. You will see a list of applications access is granted to.

    3) Click the + sign to add as many malicious applications as your very malicious soul is pleased to that list.

    4) Close and save.

     

    The key point in that presentation is how the TrackMix application controls the access of "iCloud application" to a new entry it creates. If there is a flaw then THAT is the flaw.

     

    ... Or that may be just a feature. Indeed the operating system apparently permits this. I didn't read the related developer documentation.

     

    If you omit the part where you control another application's access to your new Keychain entry, and instead show us copying of a legitimately updated token as "flaw", then you are insulting your audience's intelligence.

     

    Indeed you cannot show the real "flaw" because your entire show business is based on that "flaw"...

  • Reply 53 of 70
    cornchipcornchip Posts: 1,911member
    Quote:
    Originally Posted by AppleInsider View Post

    In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources, and be cognizant of any suspicious password prompts.

     

    So I have to dl a malicious app? OK. That's a little far fetched. Any way this can be executed server side, like dropbox getting hacked or a dropbox lookalike phishing style hack get you to give up a password and get in that way? Obviously, I'm no computer scientist. 

     

    EDIT: started typing, had to get some junk done, then hit send, in the mean time it seems some new information has come to light, man. 

  • Reply 54 of 70
    philboogiephilboogie Posts: 7,674member
    gatorguy wrote: »
    ^ post

    And I learn from you, tnx.

    So, in short, all software suffers from bugs, design flaws and security ...issues. An they all address them, be it slow or swift.
  • Reply 55 of 70
    timmymantimmyman Posts: 31member
    mstone wrote: »
    The easiest solution is simply never download any sketchy apps from unknown sources.

    The Mac App Store is an "unknown source"? Since when?
  • Reply 56 of 70
    timmymantimmyman Posts: 31member
    freerange wrote: »
    Anyone that saves their bank password in their keychain is an idiot, but point well taken.

    Why? Isn't the whole point of Keychain to be a secure place to store passwords? Why would one be an idiot to use Keychain for the very purpose of its existence?
  • Reply 57 of 70
    theothergeofftheothergeoff Posts: 2,081member
    Quote:

    Originally Posted by ipen View Post

     

     

    What's Apple side of story?  I'm searching on the web but  couldn't find any story related to this from Apple.  Do you have a link?  It'll be really helpful to hear Apple side of story.  If it's not Apple's fault and it's already got patched, i really want to know.


    Apple rarely tells their side of the story... they either fix it and release code with cryptic release notes, or, in the rare occasion, release research that says it's not really a problem (antenna gate).

     

    But they almost never say "this is a problem" before they have a patch.

  • Reply 58 of 70
    theothergeofftheothergeoff Posts: 2,081member
    Quote:

    Originally Posted by TimMyMan View Post





    Why? Isn't the whole point of Keychain to be a secure place to store passwords? Why would one be an idiot to use Keychain for the very purpose of its existence?

    I think the point is, and it may be a bit extreme, is that critical passwords should not be stored anywhere outside of your brain.

    My facebook, discus, my jimmyjohns order app passwords, or whatno are okay stored encrypted online...  bank, social security administation, taxes, medical records...  no.

  • Reply 59 of 70
    Hi, I'm Megan and I work for AgileBits, the makers of 1Password.

    For our security expert's thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we'd love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.
  • Reply 60 of 70
    ralphmouthralphmouth Posts: 192member

    This is no longer surprising as Apple adds more and more features to iOS and OS X.The more complex the system the more vulnerabilities will be discovered. For iOS 9 and El Capitan, Apple should just focus on fixing existing bugs and vulnerabilities.

Sign In or Register to comment.