Monday, June 22, 2015

Hack iOS 9 Keychain Vulnerability Reveals Personal Info

You must to read this post about iOS 9 hack Keychain vulnerability in order to protect your personal information.
As you know, via Apple’s iCloud Keychain service all your private information ranging from web browsers passwords to app passwords to banking credentials are stored and synced between devices. Due to recent reports all these staff can be easily hacked because of vulnerabilities revealed in Apple’s desktop and mobile operating systems.

These vulnerabilities were discovered by the group of researchers at Indiana University, Georgia Tech and China’s Peking University. Titled “Unauthorized Cross-App Resource Access on Mac OS X and iOS” this work was published in the form of a thirteen-page research paper. The researchers reported about this Keychain vulnerabilities to Apple back in October 2014.

These flaws allows malicious apps to get access, change and erase entries in a user’s Keychain, a central repository in both OS X and iOS for saving encrypted passwords and other personal data.

The team said that they completely cracked the keychain service which stores passwords and other credentials for different Apple apps, and sandbox containers on OS X. Also they added that they managed to identify new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.

It should be mentioned here that if someone will try to fix these flaws that would require significant architectural changes to the way OS X and iOS cooperate with apps.

This catastrophic weakness allows to bypass the App Store security checks and hack app sandboxes. As a result, thief gets the ability to steal passwords from any installed app.

The video above shows how a malicious Mac app can steal a user’s iCloud access tokens stored in the Keychain, potentially opening door to a major identity theft as more and more of our digital lives is stored in iCloud.

As you can see, the malicious app was able to steal the secret iCloud token used to sign in to iCloud via System Preferences.

Due to fact that Apple has not yet launched a fix for iOS 9 Keychain vulnerability through iOS and OS X software updates we highly recommend users not to install apps from unknown sources.


Post a Comment