Researchers at Indiana University, Peking University, the Georgia Institute of Technology, and Tsinghua University have published a paper detailing a new category of security weaknesses in Apple’s operating system software.
They call this category XARA, short for cross-app resource access, and explained that the keychain and WebSocket on OS X, and URL Scheme on iOS could be exploited to gain access to private data.
According to the researchers, they notified Apple about the vulnerability on 15 October 2014, and were informed that the company needed 6 months to fix the issue.
“We checked the most recent OS X 10.10.3 and beta version 10.10.4 and found that they attempted to address the iCloud issue using a 9-digit random number as accountName,” the researchers said.
However, the account name attribute for other services remains unobfuscated. Gmail, for example, still uses your email address as the username.
“Most importantly, such protection, based upon a secret attribute name, does not work when the attacker reads the attribute names of an existing item and then deletes it to create a clone under its control.”
They noted that this is a new problem they discovered after the first keychain vulnerability report, and are helping Apple to fix it.
Keychain race condition
In a blog post about the vulnerability, security firm Sophos explained that the researchers essentially exploited what is known as a race condition in Keychain on OS X.
Normally when you choose to store your username and password for an application, website, or Wi-Fi hotspot, a login cookie is created in Keychain which only that application or service would have access to.
A race condition is created if a malicious app creates a login cookie and grants another application permission to access that Keychain item.
However, there is one trick: the application being subverted must not have created its own Keychain item yet.
Unfortunately there is a workaround to this, Sophos reported, as it may be possible for the malicious app to delete the login cookie of other applications – allowing it to trigger the race condition.
Stealing credentials from Keychain is only one possible application of XARA attacks, the researchers wrote.
Not only were they able to get a user’s login for iCloud, e-mail, and bank accounts, they also successfully demonstrated breaking Apple’s App sandbox.
They said that they wrote a proof of concept application that does this, and managed to get it through Apple’s checks and published on the App Store.
These exploits were demonstrated in a series of videos which were published in an article on The Register, and are embedded below.
“Fundamentally, the problem comes from lack of authentication during app-to-app and app-to-system interactions, and further proposes new techniques to detect and mitigate such a threat,” the researchers stated.
“This preliminary effort contributes to a better understanding of this understudied security problem, an important step for building a more effective app isolation mechanism on future OSes.”