A very serious security flaw in Apple’s iOS mobile platform and its OS X desktop operating system has been discovered by security researchers and seemingly acknowledged by Apple. Using the flaw, hackers can build an app that is capable of stealing any and all passwords saved in Apple’s Keychain. Additionally, the same flaw can reportedly be used to steal passwords directly from third-party apps as well as Apple’s own apps.
“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome,” security researcher Luyi Xing told The Register. “Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.”
Xing leads the team of seven researchers from Indiana University, Georgia Institute of Technology and Peking University that discovered this serious zero-day flaw.
The security expert continued, “We completely cracked the Keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
The researchers say they made Apple aware of the flaw last year in October to give the company time to address it prior to making it public. Apple acknowledged the severity of the flaw, according to the team, but it remains present in the current versions of both iOS and OS X.
A video demonstration of the exploit follows below.