iOS and OS X are relatively secure, but no system is 100% reliable and this is precisely what a team made up of several American and Chinese academics has just proven. While snooping, these experts actually stumbled upon a large security flaw endangering all our passwords.
If you have an iPhone or Mac at home then you are no doubt familiar with Keychain Access and that makes sense since it has been available on both platforms for a few versions.
This tool is quite simple, quite basic, and in the end it just saves all the passwords entered by the users so that they do not have to type them again.
Apple has been in the know for six months but the company has not yet released a fix
This goes for iCloud, of course, but also for Mail and for all the passwords typed in the browser.
Until now, everyone thought the tool was reliable, but this is clearly not the case. At least not as much as we thought. Researchers from three universities have indeed pinpointed a flaw in the solution.
Basically, the keychain compartmentalizes data between applications. Safari is therefore not able to access passwords stored by Mail and vice versa. The idea is obviously to prevent malware from gaining access to information stored by legitimate programs.
But now, our researchers have found a way to intercept the data exchanged between the applications and the component integrated into the keychain. Thanks to this system, it is therefore possible to recover on the fly the passwords being saved in the solution.
The worst is yet to come because our experts have even gone so far as to hide malware in an application before submitting it for validation on the AppStore. Everyone saw nothing but fire and the tool quickly found its way to the Pomme Croquée store.
And guess what? Thanks to him, they managed to recover many passwords on Twitter, Facebook, iCloud or even… LastPass and 1Password.
The good news is that this technique is not retroactive and it cannot recover old passwords stored in the keychain. Only new ones. However, this flaw is nonetheless very worrying.
Our academics contacted the firm last October to escalate the problem. She asked them not to disclose the flaw in order to have time to develop a fix. They waited for six months, to no avail.
Apple has not fixed the flaw and it is precisely for this reason that they have decided to make it public.
They have therefore published a full report accessible at this address . It details all their observations. If you read English and are interested in security, then you should learn quite a bit.