If you haven’t already installed Apple’s latest round of software updates, go do it now.
A flaw in earlier versions of iOS, OS X, tvOS and watchOS makes it possible for hackers to remotely steal saved passwords from your Apple devices without your knowledge.
Remember that dreaded Stagefright vulnerability discovered in Android a year ago? It allowed hackers to access millions of devices using nothing more than a malicious MMS message, and Google’s platform got a lot of stick from it — especially from Apple fans.
Now those Apple fans — and millions of others — have a very similar problem.
Tyler Bohan, senior security researcher at Cisco Talos, has discovered a serious vulnerability in “ImageIO,” a framework built into Apple’s platforms that handle image data. Hackers are able to take advantage of this to steal passwords stored locally on your devices.
This includes Wi-Fi keys, login details for websites visited in Safari, and email passwords.
“An attacker could create an exploit – a little program that takes advantage of vulnerabilities – and send it via a multimedia message (MMS) inside a Tagged Image File Format (TIFF),” explains Forbes.
“The user would have no chance of detecting the attack, which would begin to write code beyond the normal permitted boundaries of an iPhone’s texting tool.”
What’s really worrying about this flaw is that, other than updating your device right away, there’s no way to avoid it. Once the MMS message has been received, it’s already too late; the attack is carried out and you can do nothing to prevent it.
The attack could be even more severe on OS X. Unlike iOS, which has sandboxing that prevents the malicious MMS from executing code without root access via a jailbreak, OS X is more open, allowing attackers to take full control of your machine.
Bohan describes the flaw as “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.” He recommends that all users update to the latest versions of iOS, OS X, tvOS, and watchOS now to ensure they aren’t at risk.