If you use an Apple device you might want to be extra careful with the information you input to various applications including your passwords.
“Six university researchers have revealed deadly zero-day flaws in Apple’s iOS and OS X, claiming it is possible to crack Apple’s password-storing keychain, break app sandboxes, and bypass its App Store security checks,” reports Darren Pauli of The Register.
The research concluded that passwords would be stolen from apps installed to Apple devices. Their research was done by uploading malware directly into the Apple app store. No alerts were triggered reported Pauli. Once the app was installed to users devices, the researchers were able to gain access to passwords for iCloud and the Mail app as well as passwords saved in Google Chrome.
“Lead researcher Luyi Xing told El Reg he and his team complied with Apple’s request to withhold publication of the research for six months, but had not heard back as of the time of writing,” according to the report.
“They say the holes are still present in Apple’s software, meaning their work will likely be consumed by attackers looking to weaponize the work.”
Since then, Apple has not yet commented on the security holes or whether or not they’ve been plugged.
“Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store,” said Xing.
“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
Even photos were stolen from an app called WeChat proving that the consequences of such security holes can be severe. Imagine all of your personal information from iCloud as well as chat history and photos from your conversations being accessed by a hacker with a simple malicious app.
Read the full story.