News

Researchers get password-stealing malware in App Store iOS and OS X

By admin
Spread the love

Researchers state that they have found critical vulnerabilities in iOS and OS X that have not yet been closed by Apple. Passwords can be obtained from apps via so-called cross-app resource access attacks, while malware can also be uploaded to the App Store.

The researchers, from Indiana University, Peking University and the Georgia Institute of Technology, write in a research report that it is possible in both OS X and iOS to access data from other apps via a malicious app. For example, they were able to extract passwords and tokens for iCloud from the keychain – a ‘vault’ for the shared storage of sensitive data within the operating system – via the cross-app resource access attack method. In doing so, the sandbox principle is circumvented: this security mechanism is intended to prevent such behavior by means of compartmentalization of software. Other cross-app software layers that Apple has developed, such as WebSocket and Scheme, could also be exploited.

In addition, the researchers say they managed to get manipulated, malicious apps through Apple’s approval process and made them available in the Mac App Store and the iOS App Store. This would allow attackers to place software on App Stores deemed safe to steal data from other legitimate apps. According to the researchers, a sample showed that about 88 percent of investigated OS X and iOS apps can be attacked in this way.

According to the researchers, they reported their findings, which they classify as very serious, to Apple in October last year. Apple is said to have requested that the publication of the research report be delayed for at least six months to address the issues, but after that period, the researchers received no further feedback from the Cupertino-based company. As a result, current versions of iOS and OS X still remain vulnerable to the security vulnerabilities described.

Meanwhile, the security researchers say they have developed an application that, until a fix is ​​released, could detect cross-app resource access attacks, although this tool has limited value. The researchers also provide a number of tips on how app developers can reduce the risk of such attacks.

You might also like
News

Google is serious about ending passwords: ‘passkeys’ are becoming the…

News

Apple has been working on its own search engine for years. It’s called…

News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin