A new exploit discovered by researchers from Indiana, Georgia and Peking universities shows that the OS X Keychain, which stores all your passwords, is vulnerable to an attack that allows malicious apps to gather passwords.
The exploit, which is titled “Xara” utilizes cross-app resource access and works even within the OS X “sandboxed” app mode, which is designed to prevent such attacks.
Xara uses a method that hijacks the access-control mechanism used for Keychain access, to take control of passwords and other credentials added by legitimate apps and websites.
In the group’s research, it found that it was able to create a malicious app, successfully publish it on the App Store and once installed attack many popular apps, including Google Chrome, Evernote and WeChat.
Using the vulnerability, the researchers were able to hijack Facebook and iCloud passwords, along with a slew of other apps/services stored in Keychain. It noted that “the attack can only succeed when the attributes of the victim’s keychain item are predictable” however many services share the same name across Keychain stores.
Another attack as part of the exploit hijacks URL schemes that apps use to communicate with each other. Wunderlist, for example, uses the URL scheme “wunderlist://” to manage Google single-sign on, but a second app can register the same URL scheme and successfully steal Google’s private token.
The Register reports that Google’s Chromium team plans to pull support for Keychain from Chrome, citing an inability to solve the issue on its own. It’s unclear if support will return in the future.
When the group informed Apple of the vulnerability on October 15, 2014, Apple asked for six months to fix the problem, though both OS X 10.10.3 and 10.10.4 are still vulnerable to the attack.
➤Unauthorized Cross-App Resource Access on MAC OS X and iOS
No comments:
Post a Comment