A group of six university researchers claim to have successfully bypassed Apple’s tight App Store approval processes to publish Mac and iOS malware apps. According to the report, the team presented the zero-day vulnerability to Apple back in October 2014 and were told to keep quiet about it for at least six months.
Luyi Xing, a security researcher who helped expose the zero day vulnerability, still has yet to hear back from Apple on a possible fix.
The team said that due to Apple’s dangerous vulnerability, it’s possible to raid iCloud Keychain and steal a user’s passwords. They can theoretically also sneak right past the App Store approval process to get malware into the hands of anyone who unknowingly downloads the malicious app.
Even worse, the researchers were able to break sandboxes and discover the ability to steal passwords from any app on the iPhone, pre-installed or third-party.
“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorized access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome,” Xing told The Register.
He added that his team has “identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”
The six researchers who discovered the zero-day published their findings in a 13-page document “Unauthorized Cross-App Resource Access on MAC OS X and iOS.” So far, AgileBits, creator of 1Password and Google’s Chromium security team have acknowledged that a security issue of this magnitude can not be solved within applications themselves. Apple will eventually have to step forward with a solution on the OS level.