University researchers have exposed a security flaw in iOS and OS X that lets an installed app exploit Apple’s cross-app resource sharing and communication to steal passwords from other apps and Apple’s Keychain, The Register reports. The team says they were able to upload their malware into an app that successfully passed the App Store’s vetting process. Once the app was downloaded, the researchers were able to raid users’ Keychain to steal passwords for iCloud, the Mail app and anything stored within Google’s Chrome browser.
The team was able to steal banking credentials from Chrome, copy photos from WeChat and gain access to popular cloud service Evernote. Nearly 90 percent of a large sample of OS X and iOS apps were found to be “completely exposed” to the attack. Lead researcher Luyi Xing said his team informed Apple of the problem in October 2014 and complied with Apple’s request to hold off publishing the research for 6 months, but hasn’t heard back from the company since delivering an advance copy of the findings to Apple in February.
Apple didn’t comment on the story, but Google’s Chromium security team has since removed Keychain integration for Chrome, saying the security flaw probably can’t be solved at the application level. AgileBits, which owns browser extension 1Password, said their company hadn’t found a way to fend off the attacks four months after the team’s disclosure. Since the malware was delivered in an app that got past Apple’s vetting process, the only protection for iOS and OS X users at this point is to scrutinize the developer before downloading an app and be wary of login prompts for things usually handled by Keychain.