A group of researchers from Indiana University say that they’ve found a handful of vulnerabilities in both Apple’s OS X and iOS, and perhaps more worrisome, cracked the Keychain service that the company uses for apps and their sandboxes on OS X.
A series of weak app-to-app authentication vulnerabilities is to blame. If strung together, the issues could be leveraged to exploit Apple apps and steal iCloud passwords, authentication tokens, and saved web passwords on Google Chrome, the researchers warned in an academic paper published Wednesday.
To carry out the research, Indiana students Luyi Xing, Xialong Bai, XiaoFeng Wang, and Kai Chen were assisted by Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology.
The students, who work in IU’s System Security Lab, collectively refer to the weaknesses as unauthorized cross-app resource access, or XARA, in the paper, “Unauthorized Cross-App Resource Access on MAC OS X and iOS.” (.PDF)
The weaknesses could make it so if a sandboxed malicious app, already vetted by Apple, was present on a machine, it could gain access to other apps’ sensitive data. When reached Wednesday Xing claimed the researchers will release their tool to the public later this year through its demo website. In their paper the researchers claim that the app can glean information from apps like Dropbox, Facebook, and Evernote, along with the messaging app WeChat, and even vaulted passwords from 1Password.
The problem stems from weak and faulty access-control list (ACL) implementation and problems in inter-app interaction services like Keychain, WebSocket on OS X, and URL Scheme on OS X and iOS, according to the researchers. As a result, sandboxed apps can delete arbitrary Keychain entries and recreate them with an ACL, in turn allowing them to read out keys and values.
The malicious app the researchers came up with can delete and recreate Keychain items, meaning it can add itself and targeted apps to an ACL. When users are asked to update their credentials, they’ll be unknowingly storing it in a Keychain item created by the malware.
“Looking into the root cause of those security flaws, we found that in the most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with,” the paper says. “Fundamentally, the problem comes from the challenge for an app to authenticate the owner of an existing Keychain item. Apple does not offer a convenient way to do so.”
Xing and company claim they were able to stage an attack against OS X 10.10’s Internet Accounts app and hijack the Keychain item the app uses for iCloud and Facebook. In a video demo posted alongside the paper, Xing, demonstrates how he was able to steal an iCloud token from Keychain:
Although through different means of execution, subsequent videos published demonstrate how the app can steal passwords from Chrome, tokens from Pinterest and Pushbullet, notes from Evernote, and passwords from 1Password.
Another type of XARA, a weakness in the unique BID-based separation design in OS X can lead to what the researchers call “container cracking.”
When apps’ container directories are disclosed, it makes it easy for other apps to find them, and in turn, easy to hijack information from sandboxed apps like Evernote, Tumblr, and WeChat.
“Once the attack app is launched, whenever the OS finds out that the container directory bearing the sub-target’s BID (as its name) already exists, the sub-target is automatically added onto the directory’s ACL. As a result, the malicious app gains the full access to other apps’ containers, which completely breaks its sandbox confinement.”
The researchers acknowledge that the real vulnerabilities here affect OS X but that iOS doesn’t get off scot-free. Its IPC channel, Scheme, is also vulnerable to hijacking while an issue with WebSocket is also present.
According to the researchers Apple was briefed on the issues in October – and then again in November – but officials from the company insisted the issues would take six months to fix, “given the nature of the problem.”
When reached Wednesday, a spokesperson from Apple claimed the company was looking into the issue.
The researchers claim the iCloud issue appears to have been resolved with the latest stable OSX update, but that still some outstanding problems remain.
“We checked the most recent OS X 10.10.3 and beta version 10.10.4 and found that they attempted to address the iCloud issue using a 9-digit random number as accountName,” the researchers write, adding that account name attributes for other services like Gmail, are still the user’s email address.