Zero-day exploit lets App Store malware steal OS X and iOS passwords
TL;DR – Security researchers discover a serious Zero-day exploit in Mac OS X and iOS which can be exploited to steal the app data, passwords and various other credentials.
A group of six security researchers from Indiana University and the Georgia Institute of Technology have found a major Apple Zero-day security flaw in both iOS as well as Mac OS X, which allows the malware to gain unauthorized access to the credentials of the device’s apps thus aiding that attackers to steal user’s sensitive data such as iCloud passwords, Mail app and all the web passwords that are stored by the Google Chrome. In short this exploit will directly expose the Apple’s Keychain and other apps including those of the third party.
This flaw has been confirmed by Apple, Google Chrome and others.
The research has been published in a paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS. The researchers involved were: Xing; Xiaolong Bai; XiaoFeng Wang; and Kai Chen joined Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology.
While speaking to the security desk of The Register, the team mentioned that they had brought this vulnerability to the notice of Apple in October 2014. Then, Apple said that it understands how serious this exploit is and asked the team to give them a time span of six months in which they would address and provide some solution to this flaw. Apple also told the researchers to not disclose this flaw in public till they fixed this problem.
In February 2015 Apple requested the team to provide them an advance copy of their research paper. Sadly, the research team have confirmed that the flaws are present even in the latest versions of Mac OS X as well as iOS and hence they had to bring this vulnerability in public.
Xing said: “We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
Xing added: “Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store. We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
The research team further also mentioned that despite the strong vetting of Apple they could upload malware which exploited the vulnerabilities to the Mac OS X and iOS App stores. It seems these apps which were vulnerable to attack were approved for both the operating systems.
The group also tested the exploit on a wide range of Mac and iOS apps and the result was terrible as it showed almost 90% of the apps were vulnerable and it gave complete access to the malware, not only with respect to the stored data but also to the login credentials.
Developer of  1Password app, AgileBits, accepted that it could not find any way to protect the app against the exploit.  A recent blog post from AgileBit’s Jeffrey Goldberg says: “Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem.”
As per the security research group, Google’s Chromium security team was more responsive and they removed the Keychain integration for Chrome. The security team from Google Chrome also confirmed that when the attack is at an application level it would be almost impossible to protect against the exploit
The security research group further also released a video which exposed the Keychain Vulnerability of Google Chrome on OS X.  (check the video below)
In response to the post by The Register, one of the comments on the Hacker News suggests that though the malware cannot directly access the existing Keychain entries; however it can force users to login manually and then capture the sensitive credentials in a newly created entry, thus indirectly getting unauthorized access to the sensitive data of users.
The security researchers further also said: “Keychain items have access control lists, where they can whitelist applications, usually only themselves. If my banking app creates a keychain item, malware will not have access. But malware can delete and recreate keychain items, and add both itself and the banking app to the ACL. Next time the banking app needs credentials, it will ask me to reenter them, and then store them in the Keychain item created by the malware.”
The security researchers warn all Mac OS X and iOS users to be more cautious whenever they are downloading apps from unknown developers, be it from iOS and Mac App Stores. Further, in case where login needs to be done by Keychain and if the system still asks users to login manually then this should raise an alarm and alert the users that there is something wrong in the system.
Earlier this month Mac BIOS/EFI vulnerability was revealed wherein the exploit would give permanent control of a Mac to the attacker and a reformatting of drive also would not help the user to stop attacker from accessing and controlling the Mac.
Another vulnerability detected this month was a bug in the iOS Mail app which could probably be a phishing attack wherein an attacker would run a remote HTML code whenever user opens an email and with that code the attacker could imitate an iCloud login prompt thus forcing users to give their Apple ID credentials.
Security researchers say as a thumb rule, it is essential that users should never allow their browser or a password manager to store the sensitive logins such as online banking credentials.
The security researchers further also mention: “The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed. Such findings […] are just a tip of the iceberg.”
In their paper the researchers have mentioned: “Looking into the root cause of those security flaws, we found that in the most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with. Fundamentally, the problem comes from the challenge for an app to authenticate the owner of an existing Keychain item. Apple does not offer a convenient way to do so.”
