mario wrote: »
Actually, that is not how it works. True it can not steal existing passwords, but it can erase the existing password for another application, re-create the entry with empty password, entry that it now has permission to read. Now when you start that other application that had previously saved password, it will prompt you for password since the value is now empty. If you re-type the password, both application you are running and the malicious application have access to it.
For example, let's say you use Safari to access your bank site. You save the password for the bank in your keychain. You now install malicious application that when run deletes Safari's keychain and creates new Safari keychain entry that both it and Safari can read.
You now start Safari and go to your bank site. Normally password would be read form keychain and filled in the form, but since rouge app deleted the entry there is no password, so you must re-enter it on the form. Safari now saves the password in the keychain, but rouge application now has access to it as well.
This is much more subtle and harder to detect. You need to remember that you had already entered the password for your bank before and that Safari not filling bank website password is strange!! With how many users will that trigger suspicion?
ericthehalfbee wrote: »
Yup. Posted yesterday and yet many tech sites aren't reporting it, but have already reported this Apple story.
Samsung has known since Dec 2014 and only released a patch in early 2015. Which STILL hasn't hit most devices because the carriers are so damned slow. They tried it on brand-new Galaxy S6 devices and the flaw was still present.
boriscleto wrote: »
No comments on the Samsung keyboard flaw that leaves 600 million phones vulnerable?
What's Apple side of story? I'm searching on the web but couldn't find any story related to this from Apple. Do you have a link? It'll be really helpful to hear Apple side of story. If it's not Apple's fault and it's already got patched, i really want to know.
You might want to enable 2-factor authentication, instead of lambasting cloud services. Oh, and perhaps use a complex password while you're at it, and not easy-to-guess ones like "123456qwer".
Please stop giving out my password.
Interesting. Apple says they have a keychain and will make it conveniently available for use on your Mac and Safari, and that it's secure, and you say people that trust Apple to secure it are idiots?
I don't, but I can certainly understand why people would.
Depends on the celebrity. ;-)
philboogie wrote: »
Security firm NowSecure said a bug in the pre-installed Swift keyboard software installed on more than 600 million Samsung devices could allow a hacker “execute code as a privileged user” to gain access to the device and the user’s network.
If the flaw in the keyboard is exploited, the attacker could access the phone’s GPS, camera, microphone, install malicious apps, eavesdrop on calls, and access photos and messages. The keyboard cannot be disabled or uninstalled. Even when it’s not being used, the security flaw can still be exploited.
The list of devices includes the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini. Verizon, AT&T, Sprint, and T-Mobile customers are all impacted.
You can grant access to several applications on your Keychain items.
1) Double click a Keychain item you want to extend its access to new applications.
2) When the item window opens, click the button Access Control. You will see a list of applications access is granted to.
3) Click the + sign to add as many malicious applications as your very malicious soul is pleased to that list.
4) Close and save.
The key point in that presentation is how the TrackMix application controls the access of "iCloud application" to a new entry it creates. If there is a flaw then THAT is the flaw.
... Or that may be just a feature. Indeed the operating system apparently permits this. I didn't read the related developer documentation.
If you omit the part where you control another application's access to your new Keychain entry, and instead show us copying of a legitimately updated token as "flaw", then you are insulting your audience's intelligence.
Indeed you cannot show the real "flaw" because your entire show business is based on that "flaw"...
So I have to dl a malicious app? OK. That's a little far fetched. Any way this can be executed server side, like dropbox getting hacked or a dropbox lookalike phishing style hack get you to give up a password and get in that way? Obviously, I'm no computer scientist.
EDIT: started typing, had to get some junk done, then hit send, in the mean time it seems some new information has come to light, man.
gatorguy wrote: »
mstone wrote: »
The easiest solution is simply never download any sketchy apps from unknown sources.
freerange wrote: »
Anyone that saves their bank password in their keychain is an idiot, but point well taken.
Apple rarely tells their side of the story... they either fix it and release code with cryptic release notes, or, in the rare occasion, release research that says it's not really a problem (antenna gate).
But they almost never say "this is a problem" before they have a patch.
I think the point is, and it may be a bit extreme, is that critical passwords should not be stored anywhere outside of your brain.
My facebook, discus, my jimmyjohns order app passwords, or whatno are okay stored encrypted online... bank, social security administation, taxes, medical records... no.
This is no longer surprising as Apple adds more and more features to iOS and OS X.The more complex the system the more vulnerabilities will be discovered. For iOS 9 and El Capitan, Apple should just focus on fixing existing bugs and vulnerabilities.