Your confidential information ranging from web passwords in Chrome and other browsers to app passwords to banking credentials stored and synced between devices though Apple’s iCloud Keychain service—even data you thought was stored safely in password managers like 1Password and LastPass—can be easily compromised due to a trio of major vulnerabilities discovered in Apple’s desktop and mobile operating systems.
As discovered by a team of researchers at Indiana University, Georgia Tech and China’s Peking University and reported by The Register, Keychain’s access control lists, URL schemes and OS X’s app containers contain flaws creating serious attack vectors.
These zero-day flaws let malicious apps access, change and delete entries in a user’s Keychain, a central repository in both OS X and iOS for saving encrypted passwords and other private data.
“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps,” the team said.
Making matter worse, fixing these flaws is anything but trivial and would require significant architectural changes to the way OS X and iOS interact with apps.
Here’s a video showing the Keychain vulnerability being exploited in Google Chrome browser on OS X. They were able to raid banking credentials from Chrome on the latest Mac OS X 10.10.3 Yosemite, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults.
Google will be removing Keychain integration for Chrome until a fix is delivered because they couldn’t address these flaws at the application level.
Not only can these catastrophic weakness let a malicious app break into your Keychain, but also bypass the App Store security checks and break app sandboxes.
As a result, attackers can steal passwords from any installed app.
Another worrying proof-of-concept video shows a malicious Mac app stealing a user’s iCloud access tokens stored in the Keychain, potentially opening door to a major identity theft as more and more of our digital lives is stored in iCloud.
Given the gravity of the attacks, the company asked for a six month extension and in February requested an advanced copy of the research paper before it was made public.
Apple has yet to deliver a fix via iOS and OS X software updates so for the time being users are advised not to install apps from unknown sources, and be especially cognizant of any suspicious password prompts.