There’s a major new security threat for owners of Apple devices, specifically iPhones, iPads and Mac computers. Researchers at Indiana University and the Georgia Institute of Technology have discovered a flaw in the way iOS and OS X apps interact with the Keychain password storage app, potentially giving thieves access to all your saved login credentials. Data stored in third-party apps like Facebook may also be vulnerable via the communications flaw.
According to U.K.’s The Register, the researchers first approached Apple about the potential security nightmare in October 2014. Apple requested researchers give it 6 months to fix the flaws before revealing the critical gap to the media. In February 2015, Apple requested an advance copy of the researchers’ paper. The issue is now being made public, it appears, to pressure Apple into faster action.
“"We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps," explains lead researcher Luyi Xing of Indiana University Bloomington. He further notes how his team was able to use the flaw to steal banking logins from Google Chrome, steal photos from WeChat and compromise data stored in archival app Evernote.
The vulnerability is accessed via malware uploaded to the Apple App Store (the researcher’s test passed malware vetting by Apple), so in the short term at least, it pays to be suspicious of new apps from unknown developers. You should also be attentive to any unusual requests for you to enter your login information, especially when your phone typically handles such authentication.
Apple has not yet addressed this security issue, but both it and Google have acknowledged its existence. It’s important to get this vulnerability fixed on all your devices, so be sure to install any Apple operating system update as soon as the company makes it available. You should also make it a priority to update your most important passwords after the patch.