Skip to main content

Report: Mac OS X and iOS security flaws allow for password theft

Keychain Vulnerability of Google Chrome on OS X
A group of researchers from universities including the Georgia Institute of Technology have found that Apple’s iOS and OS X have significant zero-day security flaws. Lead Researcher Luyi Xing and his colleagues detailed the holes in their report, “Unauthorized Cross-App Resource Access on MAC OS and iOS.” The flaws, which started making headlines on June 17, permit malicious apps to snag passwords from Apple’s Keychain and third-party apps, according to 9to5mac.

To conduct their research, the authors of the report uploaded malware to Apple’s App Store. In the process, they did not trigger alerts signifying that their app could steal passwords for services, including Mail and iCloud.

“Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps,” the authors wrote in their report.

Xing says that his team reported the flaws to Apple in October 2014. Afterward, he complied with the company’s request to withhold the release of his report for six months, according to The Register. Thus far, Apple has not been immediately available for comment. However, the research team suspects that the security flaws are still present.

“We built end-to-end attacks on several high-impact apps (e.g., Facebook, Pinterest, etc.), identified the impacts of the threat over a thousand apps, and more importantly demonstrate that the attacks can be made stealthy (through different man-in-the-middle tricks on MAC OS and iOS, passing the stolen token to the victim app, to completely conceal the attack), which is nontrivial,” the report continues.

Thus far, much of the researchers’ work has been focused on Android security. This is one of the first reports that has been based on Apple’s security vulnerabilities. Xing and his team say that most of the problems stem from Apple’s cross-app resource sharing and communication methods.

Researchers concluded that approximately 90 percent of Mac and iOS apps were “completely exposed,” giving malware full access to sensitive data.

Editors' Recommendations

Krystle Vermes
Former Digital Trends Contributor
Krystle Vermes is a professional writer, blogger and podcaster with a background in both online and print journalism. Her…
Could the Huawei MateStation X dethrone Apple’s iMac?
Huawei MateStation X.

Huawei is updating its MateStation X with an all-new form factor, according to a leak on Weibo. The new desktop PC has an iMac-esque form factor, but with a 3:2 screen.

The leak, from a Weibo user named Uncle Mountain, dropped another bombshell — Huawei is ditching AMD hardware for Intel in the new MateStation X. The previous generation of this all-in-one desktop used a laptop-class AMD Ryzen 7 5800H, which was notably underpowered.

Read more
Thanks, I hate it: Someone installed macOS on a Steam Deck
macOS Catalina running on a Steam Deck.

Yesterday we got the news that Apple might bring macOS to the iPad Pro. Today, someone has managed to get macOS to run on a Steam Deck. And tomorrow? I’m betting we’ll see macOS installed on a toaster. You heard it here first.

Back to the Steam Deck. The feat was achieved by enterprising Reddit user Lampa183, who apparently was able to get macOS Catalina running inside a VirtualBox virtual machine on their device. In other words, this is several layers of operating systems and emulation. But the result is worth it … right?

Read more
Apple could launch a Frankenstein iPad Pro that runs macOS
ipad pro 2021.

People have been complaining for years that Apple should just merge its mobile and desktop operating systems, and they might finally see their wish come true -- sort of. That’s because a new rumor claims Apple is working on bringing macOS to the M2 iPad Pro, but it could be nothing more than a tall tale.

The rumor comes from leaker Majin Bu on Twitter, who claims their sources have told them Apple is working on a “smaller” version of macOS that would be exclusively for the M2 iPad Pro, which Apple has only just released.

Read more