Main menu

Pages

Flaws in iOS and OS X May Allow Theft

Keychain App
If you are thinking of utilizing Apple's Keychain password-management app to store sensitive passwords. you better think again.

UK's The Register reported that a group of university researchers found potentially deadly zero-day flaws in the iOS and OS X operating systems, which are being used in Apple computers and mobile devices.

The researchers also added that the flaws they found may potentially let attackers get access to the passwords in Keychain and even bypass the App Store's security checks – including stealing passwords from installed apps without raising an alarm.

Research group leader Luyi Xing said he and his team withheld publication of the research for six months at Apple's request but had not heard back. Up to now, they claimed the holes are still in Apple's software.

The report added that the team uploaded malware to Apple's app stores. The malware can scan the keychain to steal passwords.

"The consequences are dire," The Register quoted the team as saying in its paper.

Xing said he reported the flaws to Apple in October 2014, and Apple security representatives asked for at least six months to fix the problems.

Last February 2015, Apple requested an advanced copy of the research paper.

In contrast, Google's Chromium security team responded quickly, removed keychain integration for Chrome.

A separate report on 9to5mac said the best advice for now "would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores."

It also suggested that users "be alert to any occasion where you are asked to login manually when that login is usually done by Keychain."

"As ever, the best practice is never to allow either your browser or a password manager to store your most sensitive logins, such as for online banking."
reactions

Comments