Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Zero-day exploit lets App Store malware steal OS X and iOS passwords

Glenn Fleishman | June 18, 2015
Researchers have discovered an exploit that lets OS X and iOS malware in the App Store steal passwords and app data, as well as hijack session tokens.

Password stealing. The authors found that they could determine the parameters used for any app in the keychain: "the attributes of any keychain item are actually public, though their content (credential) is protected," they write.

A malicious app gains access to the keychain entry for a target app by either creating an entry before the victim, or by deleting one that exists. In either case, the malware is given access alongside the app when the entry is created or re-created.

...[A]ll the attacker needs to do is just identifying [sic] an existing item, removing it from the keychain and creating a new one of its own with the same attributes to wait for the target app to put its secret there.

A targeted app could check the access control list (ACL) used to limit what can access an OS X keychain entry, but this isn't required or recommended by Apple.

The researchers attacked Internet Accounts, the preference pane that manages system-wide account data, including iCloud passwords, and the Chrome browser in their testing, but the technique works with any app.

Changes introduced in OS X 10.10.3 and the 10.10.4 beta include an element designed to resist the flaw, but the researchers found it ineffective.

Container cracking. Each sandboxed app may have a protected data storage area, but when apps want to share data with other apps, this opens a weakness the paper's authors were able to exploit.

While Apple enforces uniqueness in the "Bundle Identifier" (BID) used to set up separate data storage containers in OS X, subsystems aren't help to the same requirements. A malicious program can use the BID of a subsystem to get itself added to the ACL for another app's main data container, allowing it full access.

Researchers performed end-to-end attacks on Evernote, WeChat, QQ, Money Control, and others listed in an appendix, and had an app approved in the App Store with this attack embedded.

For example, from the container of Evernote, our attack app, involving an XPC Service that hijacked the target app's BID, successfully stole all the contacts of the user and her private notes from

Internet socket interception. The Internet operates using addresses and ports. Addresses are unique to a given computer or mobile or other device. Ports are like apartments in an apartment building, each with a particular function.

In OS X, apps can register and use ports to communicate to and from browsers. The paper gives the example of 1Password, which has browser extensions that communicate with the main 1Password app.

A malicious app can hijack a port before it's registered by the targeted app, and intercept data. In 1Password's case, a malicious app (also approved through the App Store) could grab the password whenever a user logged into a web account.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.