A team of researchers from Indiana University, Peking University, and the Georgia Institute of Technology claim to have busted the keychain wide open—and according to the team, Apple hasn’t fixed the bug since being alerted to it in October 2014.
In a pair of videos and a lengthy research paper, Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, and Xiaojing Liao detail a process in which a malicious app—like the one the team built and snuck past Apple’s App Store review process—can access extremely sensitive data such as the passwords and access tokens of other apps, including Apple’s own iCloud and Mail and even Google Chrome.
“We completely cracked the keychain service—used to store passwords and other credentials for different Apple apps—and sandbox containers on OS X,” Lead researcher Luyi Xing told the Register, “and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
According to the researchers, Apple has known about this security issue since late 2014. The company asked for a 6-month delay before the team made its discovery public. But Apple then went silent and still has not patched the holes.
The overwhelming dominance of Microsoft‘s Windows operating system has made it the prime target for hacking and malware over the past two decades. But as Apple’s OS X becomes more and more popular, these kinds of exploits will only grow more common. Now it’s up to Apple to respond with the appropriate fixes.
Photo via dlg_images/Flickr (CC BY SA 2.0)