Your IT Consultant

Another Huge Security Hole in iOS and OS X

June 22, 2015

So much for the perceived safety of Apple products. Ars technica reports that researchers have discovered huge holes in the application sandboxes that are intended to protect Apple’s OS X and iOS operating systems. This means that the bad guys can create apps that can lift iCloud, Gmail and banking passwords along with data from the popular 1Password, Evernote and other apps.

Think you’re safe because of the walled garden approval requirement for the Apple Store? Guess again. The researchers were able to submit an app designed to bypass sandboxing protections, which was approved and vetted by Apple engineers to be safe. To quote the researchers paper, "For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome." They also intercepted passwords from 1Password and the secret token for Evernote. Pretty scary stuff.

Apparently, there isn’t much end users can do other than wait for Apple to fix the problem. If history is any indicator, it’s going to be a long time before the hole is plugged.

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com