Six University security researchers from Indiana University, Georgia Tech and Peking University detailed several zero-day flaws in iOS and OS X that allow malicious attackers to bypass Apple security measures and gain access to sensitive information stored in other apps. The sandboxed malicious apps can steal data such as iCloud keychain passwords, Google Chrome web passwords and more without detection, reports The Register.
"Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register's security desk.
"Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac App Store and iOS App Store.
The thirteen-page research paper details how cross-app communication services can be exploited to access data from apps such as 1Password, Evernote, Dropbox, Instagram, AnyDo, and others. Researcher Luyi Xing told The Register that he reported the vulnerability to Apple in October 2014 and has complied with company's requested six-month moratorium.
Our take on the news: Security vulnerabilities in operating systems such as OS X and iOS are to be expected. How Apple responds to this threat is much more significant. The company was given six months to prepare, let's see what it will do now that this flaw has been exposed publicly.