Six university researchers found zero-day flaws in Apple’s iOS and OS X, which allow Apple’s password-storing keychain to be opened, app sandboxes snuffled, and App Store security checks ignored.
The team used the bug to upload malware to Apple’s app stores, and passed the vetting processes without Apple noticing. The malware, when installed on a victim’s Mac, stole passwords for iCloud and the Mail app, and all those stored within Google Chrome.
Lead researcher Luyi Xing told Apple about the bug, but Jobs’ Mob did nothing for six months. In fact the researchers still have not heard back.
The Indiana University researchers have now published a paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS so it is pretty certain that hackers will be exploiting it soon.
“The consequences are dire,” the team wrote.
More than 88.6 percent of 1,612 OS X and 200 iOS apps were found “completely exposed” to unauthorised cross-app resource access (XARA) attacks allowing malicious apps to steal otherwise secure data.
Apple asked for at least six months to fix the problems and requested an advanced copy of the research paper, which they got. However they did not do anything, which leads us to believe that Apple’s security experts believe their own reality distortion field about their product being invulnerable.
Google’s Chromium security team was more responsive, and removed keychain integration for Chrome, noting that it could likely not be solved at the application level