Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[El Reg] Apple CORED: Boffins reveal password-killer 0days for iOS and OS X

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1233
Joined: Wed Feb 05, 2014 3:47 am

[El Reg] Apple CORED: Boffins reveal password-killer 0days for iOS and OS X

Postby parityboy » Wed Jun 17, 2015 8:06 pm

The Indiana University boffins Xing; Xiaolong Bai; XiaoFeng Wang, and Kai Chen, joined Tongxin Li of Peking University and Xiaojing Liao of Georgia Institute of Technology to develop the research detailed in the paper Unauthorized Cross-App Resource Access on MAC OS X and iOS.

Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register's security desk.

Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.

We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.

The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system's keychain and secret iCloud tokens, and passwords from password vaults.

https://www.youtube.com/watch?feature=player_embedded&v=S1tDqSQDngE


Source
Attachments
Unauthorized Cross-App Resource Access on MAC OS X and iOS.pdf
(945.62 KiB) Downloaded 488 times

Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 11 guests

Login