Six college researchers have revealed dangerous zero-day flaws in Apple’s iOS and OS X, claiming it’s entirely possible to crack Apple’s password-storing key chain, break app sandboxes, and bypass its App Store safety checks.
A variety of newly found vulnerabilities affecting Apple’s Mac OS X and iOS operating systems may permit attackers to steal passwords and different credentials if successfully exploited. The vulnerabilities were uncovered by a team of researchers based in the University of Indiana, who found that the 4 separate flaws could enable a malicious app to bypass safety controls and steal sensitive information from different apps. The vulnerabilities had been reported to Apple in October 2014 and the company stated it will require six months to roll out fixes. Although some issues have been addressed, a lot of the vulnerabilities remain un patched till the filing of this report.
Every app installed via Apple’s Mac App Store and iOS App Store is confined to a secure container on the pc generally known as a sandbox. These apps are granted restricted privileges and if they need to access any extra resources outside of their very own container, then the user must grant permission first. The researchers discovered 4 vulnerabilities by which unauthorized access could possibly be granted, which they refer to as cross-app resource access (XARA) attacks.
1. Password-stealing vulnerability
Apple operating systems have a safe password storage feature referred to as Key chain which permits the user to store and retrieve passwords for numerous apps and on-line services. The first vulnerability permits a malicious app to create a key chain entry for another app. If the targeted app isn’t present on the pc and the user subsequently installs the app, its credentials are saved on the key chain entry created by the malicious app. If the targeted app is already installed, a malicious app can delete its existing key chain entry and create a brand new one, which the user will re-enter their credentials the subsequent time they access the targeted app.
2. Container cracking
The second vulnerability could enable a malicious app to gain entry to the secure container belonging to another app and steal data from it. Each app container is given a unique id referred to as a Bundle ID (BID). The Mac App Store doesn’t permit submitted apps to make use of a BID that’s already been utilized by any another app.
However, an issue lies with sub-targets, apps that work embedded in another app, such as extensions, frameworks, or helper applications. The Mac App Store doesn’t verify if a sub-target’s BID is similar to those belonging to other apps or their sub-targets. An attacker might therefore use a malicious app with sub-targets that use BIDs belonging to other apps or their sub-targets. This may allow the malicious app to gain full entry to another app’s container.
3. Inter-process communication (IPC) interception
An additional vulnerability exists as a result of cross-app IPC channels on Mac OS X and other platforms, such as Web Socket, which contain flaws which expose vital data. For instance, Web Socket is used to establish a connection between a server and a client. A malicious app might claim the port utilized by a legitimate application and intercept data supposed for it, for example passwords or other sensitive data.
4. Scheme hijacking
The 4th vulnerability relates to the URL scheme apps used to pass information to another app. For example, URLs starting with “mailto” direct information to the Mail app. This vulnerability permits a malicious app to hijack a scheme, which implies data sent to the target app can be obtained by it instead. This may facilitate the theft of access tokens and other data.
Risk of exploitation
All apps distributed on the official Mac App Store and iOS App Stores are vetted by Apple and only sand boxed apps may be distributed. A Mac OS X feature known as Gatekeeper blocks apps that aren’t signed by the Apple Store or a trusted developer.
However, the researchers created a proof-of-concept malicious app which passed the vetting and was briefly live on the Mac App Store before they removed it from the store.
Here’s the boffins’ (the security guys) description of their work:
Our study brings to light a series of unexpected, security-critical flaws that can be exploited to circumvent Apple’s isolation protection and its App Store’s security vetting. The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sand-boxed.
Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms. Most importantly, the new understanding about the fundamental cause of the problem is invaluable to the development of better app isolation protection for future OSes.
In-depth technical details are available in the aforementioned link.
No known exploits of those vulnerabilities have occurred within the wild. However, as word spreads of their existence, we believe its highly likely that attackers will begin making an attempt to exploit them.
