A number of newly discovered vulnerabilities affecting Apple’s Mac OS X and iOS operating systems could allow attackers to steal passwords and other credentials if successfully exploited. The vulnerabilities were uncovered by a team of researchers based in the University of Indiana, who discovered that the four separate flaws could allow a malicious app to bypass security controls and steal sensitive data from other apps. The vulnerabilities were reported to Apple in October 2014 and the company said it would require six months to roll out fixes. Although some issues have been addressed, most of the vulnerabilities remain unpatched.
Every app installed through Apple’s Mac App Store and iOS App Store is confined to a secure container on the computer known as a sandbox. These apps are granted limited privileges and if they need to access any additional resources outside of their own container, then the user needs to grant permission first. The researchers found four vulnerabilities in which unauthorized access could be granted, which they refer to as cross-app resource access (XARA) attacks.
1. Password-stealing vulnerability
Apple operating systems have a secure password storage feature known as Keychain which allows the user to store and retrieve passwords for various apps and online services. The first vulnerability allows a malicious app to create a keychain entry for another app. If the targeted app is not present on the computer and the user subsequently installs the app, its credentials are stored on the keychain entry created by the malicious app. If the targeted app is already installed, a malicious app can delete its existing keychain entry and create a new one, which the user will re-enter their credentials to the next time they access the targeted app.
2. Container cracking
The second vulnerability could allow a malicious app to gain access to the secure container belonging to another app and steal data from it. Each app container is given a unique identity known as a Bundle ID (BID).The Mac App Store doesn’t allow submitted apps to use a BID that’s already been used by another app.
However, a problem lies with sub-targets, apps that work embedded in another app, such as extensions, frameworks, or helper programs. The Mac App Store doesn’t verify if a sub-target’s BID is identical to those belonging to other apps or their sub-targets. An attacker could therefore use a malicious app with sub-targets that use BIDs belonging to other apps or their sub-targets. This could allow the malicious app to gain full access to another app’s container.
3. Inter-process communication (IPC) interception
A further vulnerability exists because cross-app IPC channels on Mac OS X and other platforms, such as WebSocket, contain flaws which expose critical information. For example, WebSocket is used to establish a connection between a server and a client. A malicious app could claim the port used by a legitimate application and intercept data intended for it, such as passwords or other sensitive information.
4. Scheme hijacking
The fourth vulnerability relates to the URL scheme apps used to pass data to another app. For example, URLs beginning with “mailto” direct data to the Mail app. This vulnerability allows a malicious app to hijack a scheme, which means data sent to the target app would be received by it instead. This could facilitate the theft of access tokens and other information.
Risk of exploitation
All apps distributed on the official Mac App Store and iOS App Stores are vetted by Apple and only sandboxed apps may be distributed. A Mac OS X feature called Gatekeeper blocks apps that are not signed by the Apple Store or a trusted developer.
However, the researchers created a proof-of-concept malicious app which passed the vetting and was briefly live on the Mac App Store before they removed it.
No known exploits of these vulnerabilities have occurred in the wild. However, as word spreads of their existence, Symantec believes it likely that attackers will begin attempting to exploit them.
Users of Mac OSX and iOS are advised to apply any security updates issued by Apple as and when they become available.
Exercise caution when installing new software and, if in doubt, opt for products from trusted vendors.
Keep security software up to date. This will limit the likelihood of any exploit being used to successfully deliver malware to your computer.