Apple just finished patching the nasty goto fail bug in iOS 7 and OS X, but a report shows another vulnerability in iOS has been discovered that gives attackers access to every single touch you make, including your keystrokes.
The new vulnerability discovered by FireEye works on non-jailbroken iPhones and iPads running iOS versions 7.0.4 devices with iOS 7.0.4 7.0.5, and 7.0.6, as well as those running on 6.1.x.
FireEye says they’ve been collaborating with Apple on the bug and they’ve created a proof-of-concept monitoring app that records touch events for a user in the background. The flaw uses resources iOS provides for apps to run in the background to register presses on the screen, home button, volume buttons and TouchID without being detected by a users.
The monitoring app can’t tell exactly which key you’re pressing, but rather logs the X and Y coordinates of each touch, but that information could easily be used to decipher keystrokes.
Attackers could utilize the exploit by luring victims to phishing sites to install a malicious app, or exploit another remote vulnerability of some app and then monitor in the background.
A fix for the bug is pending but to avoid the security flaw in the meantime the only course of action iOS users have is to kill apps running in the background to prevent unwanted monitoring.
Source: FireEye
Via: ArsTechnica