Skip to main content

Serious OS X and iOS flaws let hackers steal keychain, 1Password contents



Researchers have uncovered huge holes in the application sandboxes protecting Apple's OS X and iOS operating systems, a discovery that allows them to create apps that pilfer iCloud, Gmail, and banking passwords and can also siphon data from 1Password, Evernote, and other apps.

The malicious proof-of-concept apps were approved by the Apple Store, which requires all qualifying submissions to treat every other app as untrusted. Despite the supposed vetting by Apple engineers, the researchers' apps were able to bypass sandboxing protections that are supposed to prevent one app from accessing the credentials, contacts, and other resources belonging to another app. Like Linux, Android, Windows, and most other mainstream OSes, OS X and iOS strictly limit app access for the purpose of protecting them against malware. The success of the researchers' cross-app resource access—or XARA—attacks, raises troubling doubts about those assurances on the widely used Apple platforms.

"The consequences are dire," they wrote in a research paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS. "For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome." Referring to interprocess communication, which is the tightly controlled and Apple-approved mechanism for one app to interact with another and the Bundle ID token used to enforce sandbox policies, the researchers continued:

Read More

Labels

Labels:

Comments

  1. AnonymousJune 24, 2015 at 7:27 PM

    Hi, I'm Megan and I work for AgileBits, the makers of 1Password.

    I just wanted to clarify here that the attack described in this research is not directed at the encrypted 1Password database. For our security expert's thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we'd love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.

    ReplyDelete

Post a Comment

Popular posts from this blog

How To Hide Text In Microsoft Word 2007, Reveal It & Protect It

Sometimes what we hide is more important than what we reveal. Especially, documents with sensitive information, some things are supposed to be ‘for some eyes only’. Such scenarios are quite common, even for the more un-secretive among us. You want to show someone a letter composed in MS Word, but want to keep some of the content private; or it’s an official letter with some part of it having critical data. As important as these two are, the most common use could involve a normal printing job. Many a time we have to print different versions of a document, one copy for one set of eyes and others for other sets. Rather than creating multiple copies and therefore multiple printing jobs, what if we could just do it from the same document?  That too, without the hassle of repeated cut and paste. We can, with a simple feature in MS Word – it’s just called Hidden and let me show you how to use it to hide text in Microsoft Word 2007. It’s a simple single click process. Open the docum...
1 comment
Read more

Boom, the startup that wants to build supersonic planes, just signed a massive deal with Virgin

Have you heard about Boom? Boom is a relatively new startup that’s aiming to build something pretty crazy. They’re not building an app… or a social network… or even some new gadget for the Kickstarter crowd. Boom wants to build planes. Really, really, really fast planes. Specifically, they’re trying to design and build a supersonic passenger plane that goes 2.2x the speed of sound. If all goes to plan, they’ll be able to shuttle people from New York to London in 3.5 hours, and SF to Tokyo in 4.5. Sound crazy? I wouldn’t disagree. It’s worth noting that the company is in the very early days for something as intensive, massive, and hugely expensive as designing and producing a passenger aircraft. They’re still working on their first prototype, and hope to fly it by late next year. But it’s also worth noting that the team behind the plane has some serious talent in its blood: the company’s 11 employees have collectively contributed to over 30 aircrafts — having worked on thin...
Post a Comment
Read more

Fun Tools to Translate Your Name into Japanese Calligraphy

Japanese calligraphy is an artistic writing style of the Japanese language. Its Chinese origins can be traced back to the twenty-eighth century BCE. Calligraphy found its way into Japanese culture in 600 CE and is known as the karayo tradition. For Westerners, calligraphy is forever fascinating. However, it takes years to learn how to properly draw the signs. Two basic principles must be known to understand Japanese writing: there are different writing styles and different alphabets. Kaisho for example, is a writing style most commonly used in print media. Tensho on the other hand is used in signatures. Other writing styles are Reisho, Gyosho and Sousho. The alphabets include Kanji, Hiragana, and Katakana. Katakana is used for writing foreign words. It can also serve to highlight words, in analogy to capital letters as we know them from the Roman / Latin alphabet (Romaji in Japanese). Each Kanji character has a meaning of its own, while Hiragana or Katakana characters merely repres...
Post a Comment
Read more