Six researchers from Indiana University have identified zero-day weaknesses in Apple's iOS and OS X; Researchers claim they can crack Apple's keychain, breach sandboxes and bypass App Store security controls.
Attackers in this way can steal the passwords from each installed application, including Apple's email application without anyone being able to locate them!
The team was able to upload malware to the Apple app store, without being detected by Apple's controls. By continuing, they were able to bypass passwords for services such as iCloud and the E-mail application, as well as all those stored in Google Chrome.
Survey chief Luyi Xing said they were delayed with the publication of the vulnerabilities as they obeyed Apple's request not to publish the survey for six months.
But to date they haven't heard from Apple, and security holes still exist in its platforms companys.
So researchers Xing, Xiaolong Bai, XiaoFeng Wang, and Kai Chen from Indiana University and Tongxin Li from the University of Beijingy along with his Xiaojing Liao Georgia Institute of Technology published the research they called Unauthorized Cross-App Resource Access on MAC OS X and iOS.
"We recently discovered a number of security issues in Apple's Mac OS and iOS that allow a malicious application to gain unauthorized access to sensitive system data and other applications."
"OR malicious applications successfully passed Apple's review and evaluation process and were published on the Mac App Store and Apple's iOS app store.
"We managed to completely break the keychain service - used to store passwords and other credentials for different Apple applications - the OS X sandbox, and we also identified new vulnerabilities in the communication mechanisms between OS X and iOS applications. The latest vulnerabilities could be used to spy on confidential data from Evernote, Facebook and other high-profile applications. "
