Click to Skip Ad
Closing in...

Warning: Major iPhone Security Flaw Lets Hackers Steal All Your Passwords

Published Jun 17th, 2015 10:31AM EDT
iOS Security Flaw

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

A very serious security flaw in Apple’s iOS mobile platform and its OS X desktop operating system has been discovered by security researchers and seemingly acknowledged by Apple. Using the flaw, hackers can build an app that is capable of stealing any and all passwords saved in Apple’s Keychain. Additionally, the same flaw can reportedly be used to steal passwords directly from third-party apps as well as Apple’s own apps.

DON’T MISS: It’s Apple’s fault nobody seems to know about my favorite Apple Watch trick

“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome,” security researcher Luyi Xing told The Register. “Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.”

Xing leads the team of seven researchers from Indiana University, Georgia Institute of Technology and Peking University that discovered this serious zero-day flaw.

The security expert continued, “We completely cracked the Keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”

The researchers say they made Apple aware of the flaw last year in October to give the company time to address it prior to making it public. Apple acknowledged the severity of the flaw, according to the team, but it remains present in the current versions of both iOS and OS X.

A video demonstration of the exploit follows below.

Zach Epstein
Zach Epstein Executive Editor

Zach Epstein has been the Executive Editor at BGR for more than 15 years. He manages BGR’s editorial team and ensures that best practices are adhered to. He also oversees the Ecommerce team and directs the daily flow of all content. Zach first joined BGR in 2007 as a Staff Writer covering business, technology, and entertainment.

His work has been quoted by countless top news organizations, and he was recently named one of the world's top 10 “power mobile influencers” by Forbes. Prior to BGR, Zach worked as an executive in marketing and business development with two private telcos.