Six researchers από το Πανεπιστήμιο της Ιντιάνα έχουν εντοπίσει zero-day αδυναμίες στο iOS και το OS X της Apple. Οι ερευνητές υποστηρίζουν ότι μπορούν να σπάσουν το keychain της Apple, να παραβιάσουν sandboxes και να παρακάμψουν τους ελέγχους security of the App Store.
Attackers in this way can steal the passwords from each installed application, including Apple's email application without anyone being able to locate them!
The team was able to raise malware στο Αpple app store, χωρίς να τους εντοπίσουν οι έλεγχοι της Apple. Συνεχίζοντας μπόρεσαν να υποκλέψουν κωδικούς πρόσβασης για υπηρεσίες όπως το iCloud και την εφαρμογή E-mail, as well as all those stored in Google Chrome.
Survey chief Luyi Xing said they were delayed with the publication of the vulnerabilities as they obeyed Apple's request not to publish the survey for six months.
But to date, they have not got news from Apple, and security loopholes still exist on the company platforms.
So Xing, Xiaolong Bai, XiaoFeng Wang, and Kai Chen of Indiana University and Tongxin Li from Beijing University along with Xiaojing Liao of Georgia Institute of Technology published the research they called Unauthorized Cross-App Resource Access on MAC OS X and iOS.
"We recently discovered a number of security issues in Apple's Mac OS and iOS that allow a malicious application to gain unauthorized access to sensitive system data and other applications. "
"Our malicious applications have successfully passed the Apple review and evaluation process and have been published in the Apple App Store and Apple's iOS app store.
"We managed to completely break the keychain service - used to store passwords and other credentials for different Apple applications - the OS X sandbox, and we also identified new vulnerabilities in the communication mechanisms between OS X and iOS applications. The latest vulnerabilities could be used to spy on confidential data from Evernote, Facebook and other high-profile applications. "
