Critical zero-day flaws in Apple’s iOS and OS X could allow hackers to steal passwords
Researchers have revealed some serious zero-day flaws in Apple’s iOS and OS X operating systems that when exploited could allow attackers to break into the company’s password-storing keychain, app sandboxes, as well as circumvent its App Store security checks, effectively letting them steal passwords from installed apps, including iCloud, Mail app, as well as Google Chrome.
“Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store,” said lead researcher Luyi Xing. “We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
What’s worth mentioning here is that the flaws were reported to Apple back in October last year. At that time, the Cupertino-based company asked the researchers to withhold their research, saying that it needs at least six months to fix the flaws. However, the researchers haven’t received any update from Apple since then, and are claiming that the flaws are still present in the company’s software.
The research is detailed in a paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS.