Researchers have discovered a major flaw in Apple's security framework that's made it possible for hackers to access users' iCloud, Gmail, Evernote, banking and other sensitive passwords. They've done so by intentionally creating malicious apps capable of subverting the protections on OS X and iOS operating systems. And then Apple allowed the cybersecurity researchers to post the apps on the Apple Store.
The Apple Store relies on a technique known as sandboxing to prevent a user's apps from accessing the log-in credentials, preferences, contacts and other settings on other apps. The process is supposedly aided by Apple engineers, who screen for malicious apps meant to wreak havoc on others in the system. But researchers from Indiana University, Peking University and the Georgia Institute of Technology proved it's still possible to create an app that takes information from what's available elsewhere on a user's device.
Of the 1,612 OS X and 200 iOS most popular apps currently available in the Apple Store, 88.6 percent were “completely exposed” as part of this hack, which they said was first reported to Apple in October 2014.
“The consequences are dire,” the team wrote in a research paper dubbed “Unauthorized Cross-App Resource Access on Mac OS X and iOS.” “For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokes of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome.”
While Apple has yet to publicly comment on the matter, the researchers said the hole still exists. The paper has yet to be published and was first reported Wednesday by the Register.