Vulnerability "zero day" in iOS and OS X will allow to steal all data from the Apple Keychain

Experts from Indiana University and the Georgia Institute of Technology in the study Apple operating systems have identified the so-called threat of "zero day". This vulnerability in the security software could lead to the theft of the user's secret code, as the service is cracked Apple Keychain, keeping the pair of logins and passwords.

According to the site The Register, Vulnerability researchers said Apple in October last year. In response to Apple asked for six months did not publish details about the "hole" and allow the specialists of the company to solve the problem. In February 2015, the first work to remove the danger still were, and probably to the publication of the moratorium has been extended.

According to university staff, they were able to crack the new mechanism of communication between the "sandbox" applications. In iOS 8 Apple allowed isolated earlier programs send each other information about the accounts and thereby facilitate user authorization process in third-party applications. This opportunity and took advantage of the US security experts, first create a special application, and then through them having stolen passwords of other products of the App Store and Mac App Store. Surprisingly, the moderators Apple app stores did not have issues with the approval of malicious software and pilot programs with viruses fall into both stores.

The developers of popular applications, dealing with passwords arrays, responded to the vulnerability of different ways. Thus, the creator of 1Password said that he sees no way to protect against the exploit found. A team that is responsible for the safety of Chromium browser at all can abandon Apple Keychain support in Chrome for iOS and OS X.

It is worth noting that, despite the apparent danger, vulnerability does not automatically gain access to all passwords at once. About as well as other viruses in the iOS and OS X, this hack requires some action from the user. A person will need to enter your login and password on their own. In this case, the authorization window will be replaced with a fake, and the data will go not to the application but to the attackers.

Around the same way to steal passwords recently demonstrated Another security expert. Perhaps he exploited the same vulnerability, and the staff of US universities. However, while it was limited to only a forged authorization window in iCloud, though it said that it will be possible to falsify any pop-up window. Anyway, after many months of waiting for a response from Apple this person has already laid out a detailed description of the vulnerability of the Web, and hackers can use it at any time.

The only recommendation for a security standard phrases can become in such a situation about the installation of applications from trusted sources and reading emails from friends only contacts.

via