Well, this is a bit awkward.
A group of researchers from Indiana University and the Georgia Institute of Technology have stated that security holes in both iOS and OS X allow a malicious app to steal passwords from Apple’s Keychain, as well as both Apple and third-party apps.
The claims appear to have been confirmed by Apple, Google and others.
The published report offered the following:
We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps
The team states that it reported the flaws to Apple in October of last year. At that time, Apple said that it understood the seriousness of the flaws and asked the researchers to give it six months to address them before the exploit was made public. In February, Apple requested an advance copy of the paper, yet the flaws remain present in the latest versions of both operating systems.
During tests, researchers were able to upload malware exploiting the vulnerabilities to both iOS and Mac App Stores, despite Apple’s vetting. The compromised apps were approved for OS X and iOS.
The team say that they tested the exploit against a wide range of both Mac and iOS apps, and found that almost 90% of them were “completely exposed,” allowing the malware full access to data stored in the apps, including login credentials.
A recently released video shows that the installed malware can obtain information from a keychain it creates for its own purposes, which is fairly disturbing. Once in place, it can collect information such as logins and passwords for its own purposes.
As always, the best advice is to use caution in deciding which applications to download, especially ones from unknown developers. Also be alert to any occasion where you are asked to login manually when that login is usually done by Keychain.
Stay tuned for additional details as they become available.
Via 9to5Mac and The Register