This is interesting, in a depressing sort of way: it’s a report on Unauthorized Cross-App Resource Access on Mac OS X and iOS documenting a combination of issues that affect both OS X and iOS. The researchers behind the report are from the universities of Indiana, Tsinghua, and Peking, and the Georgia Institute of Technology. They state that:
We reported this vulnerability to Apple on Oct. 15, 2014, and communicated with them again in November, 2014 and early 2015.
However, they say that the issues have not so far been resolved. The report is quite long and detailed, but if you want a briefer summary, there have been plenty of summarizing articles:
- Graham Cluley for Intego: Serious Zero-Day Security Flaw in iOS and OS X Could Lead to Password Theft
- Dan Goodin for Ars Technica: Serious OS X and iOS flaws let hackers steal keychain, 1Password contents; Researchers sneak password-stealing app into Apple Store to demonstrate threat.
- Kyle Ellison for ESET: Apple iOS and OS X flaws leave passwords vulnerable
- Darren Pauli for The Register: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X; Keychains raided, sandboxes busted, passwords p0wned, but Apple silent for six months
- Brian Krebs: Critical Flaws in Apple, Samsung Devices
- The Samsung/Swift Keyboard issue mentioned by Krebs is also addressed by:
- Ryan Welton for NowSecure: Remote Code Execution as System User on Samsung Phones re his Black Hat presentation
- Paul Ducklin for Naked Security: Samsung keyboard app could let a crook crack your phone
- Dan Goodin for Ars Technica: New exploit turns Samsung Galaxy phones into remote bugging devices; As many as 600 million phones vulnerable to remote code execution attack.
- Vijay for Tech Worm: Hackers can use SwiftKey to remotely take over Samsung devices including Galaxy S6
- Zack Whittaker for ZDNet: Samsung to issue security fix for 600 million Galaxy phones
- John Leyden for The Register: Samsung rolls out updates to plug mobile keyboard snooping bug; We’ll fix this problem that isn’t actually a problem, no problem
David Harley
Small Blue-Green World
Leave a Reply