A huge security flaw has been discovered in Apple devices that could allow hackers to steal your passwords and data
REUTERS/Lucy Nicholson
In a newly-released paper, the research group explained how they tested a series of attacks that were able to bypass security checks, steal passwords, and even critical app data.
The vulnerability was discovered to exist on Apple devices including the iPhone, iPad, and Mac computers.
Due to the way Apple built apps to communicate with each other, the paper writes, researchers were able to "steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote."
Basically, these researchers were able to build a malware that was uploaded to Apple's App Store in the form of a typical app, which was then able to steal credentials from the existing apps on the researchers' phones. These credentials include passwords and other precious app data that's supposed to be off-limits.
The lead researcher, Luyi Xing, told the Register that his team was able to "gain unauthorized access to other apps' sensitive data such as passwords and tokens from iCloud, Mail app and all web passwords stored by Google Chrome."
According to the Register, Xing and his team informed Apple, which asked for six months to deal with issue. The six months have now passed and the vulnerabilities persist, say the researchers.
The ramifications of these findings could be huge. Very little has been written about the potential cross-app vulnerabilities in Apple's software, and this discovery shows some huge holes certainly exist.
The researchers tested this type of attack with large sample of Apple apps and found that "more than 88.6%" were completely exposed. These include extremely popular apps like password manager 1Password and Google Chrome.
"The consequences of these attacks are serious," the paper concludes, "including leak of user passwords, secrete tokens and all kinds of sensitive documents."
In short, this vulnerability could quickly become bad news for Apple if hackers or other malicious parties take advantage of the security holes, and there's no way to know if any attacks utilizing this method have already been carried out. For Apple's part, the company needs to figure out a way to patch the vulnerability across both its iOS and Mac OS X operating systems.
Business Insider has reached out to Apple, and we will update the post when we hear back.
You can watch a video showcasing how a malicious app can utilize the vulnerability to steal stored passwords from Google Chrome.
Next Story
A 53-year-old longevity researcher says his 'biological age' is a decade younger thanks to 4 daily habits — but the science behind them is mixed
OnePlus Nord CE 3 leaks ahead of launch – specs, expected launch date and more
New CEO of TCS Krithivasan gets a thumbs up from analysts who are betting on his experience & leadership skills
US condemns attack on Indian Consulate in San Francisco; pledges to defend safety, security
Paul Grant who played Ewok on Star Wars passes away at 56
Sensex, Nifty50 likely to open in the green amid positive global cues: Kotak Mahindra Bank, Adani Enterprises, Reliance Industries among stocks to watch
Always open for negotiation: Putin tells Xi Jinping on Ukraine peace plan
Time to accumulate bonds and lock-in attractive yields with peak rates around the horizon
