If you haven’t already installed Apple’s latest round of software updates, go do it now.
A flaw in earlier versions of iOS, OS X, tvOS and watchOS makes it possible for hackers to remotely steal saved passwords from your Apple devices without your knowledge.
Remember that dreaded Stagefright vulnerability discovered in Android a year ago? It allowed hackers to access millions of devices using nothing more than a malicious MMS message, and Google’s platform got a lot of stick from it — especially from Apple fans.
Now those Apple fans — and millions of others — have a very similar problem.
Tyler Bohan, senior security researcher at Cisco Talos, has discovered a serious vulnerability in “ImageIO,” a framework built into Apple’s platforms that handle image data. Hackers are able to take advantage of this to steal passwords stored locally on your devices.
This includes Wi-Fi keys, login details for websites visited in Safari, and email passwords.
“An attacker could create an exploit – a little program that takes advantage of vulnerabilities – and send it via a multimedia message (MMS) inside a Tagged Image File Format (TIFF),” explains Forbes.
“The user would have no chance of detecting the attack, which would begin to write code beyond the normal permitted boundaries of an iPhone’s texting tool.”
What’s really worrying about this flaw is that, other than updating your device right away, there’s no way to avoid it. Once the MMS message has been received, it’s already too late; the attack is carried out and you can do nothing to prevent it.
The attack could be even more severe on OS X. Unlike iOS, which has sandboxing that prevents the malicious MMS from executing code without root access via a jailbreak, OS X is more open, allowing attackers to take full control of your machine.
Bohan describes the flaw as “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.” He recommends that all users update to the latest versions of iOS, OS X, tvOS, and watchOS now to ensure they aren’t at risk.
Killian Bell is a freelance writer based in the U.K. He has an interest in all things tech and also covers Android over at CultofAndroid.com. You can follow him on Twitter via @killianbell.
7 responses to “Critical flaw leaves all Apple devices open to password thieves”
Major difference. If the fix is an update, then most people are already safe. Guaranteed if the fix for stagefright was an update, millions are still exposed.
Why do you scare people? After all, Apple fixes problem.
The term you’re looking for is “click bait”.
Hmmmmm. Wonder if this was one of the flaws the DOJ paid for to get into an iPhone
That’s FBI, not DOJ, and FBI did that by brutal force method — guess the passcode and, if wrong, cut the power immediately before safety lock took action. It’s not that hard since they only have to repeat at most 9999 times. A few weeks would be sufficient with dedicated hacking equipments.
Uhm, how do they come to this conclusion? Getting access to passwords requires getting access to the Keychain, which is *always* sandboxed on iOS and Mac OS X.
Which brings the question: Will Apple release updates to old iOSes sĂĄ that users of iPhone 4 and older devices will be protected from this vulnerability?