Vulnerability in OS X and iOS allows malicious apps to steal passwords and other information [atualizado]

Six researchers from Indiana University, Georgia Tech and Peking University have published an extensive document (13 pages) that reveals security flaws in OS X and iOS that allow malicious apps approved by the App Store team and run on mode sandbox have unauthorized access to sensitive information stored in other apps.

According to The Register, the group was able to submit an application to the App Store and go through the approval process without raising any suspicion that it could invade Key Access (Keychain Access) to steal passwords for services / apps like iCloud, Mail, tokens authentication, passwords saved by Google Chrome, etc.

The form of communication to steal this information varies, Keychain and at WebSocket on OS X, and URL schemes (URL schemes, both on OS X and iOS). In this way, even information stored in the 1Password app can be stolen, showing that the failure is really serious (after all, the app's premise is to store and store all your passwords and sensitive information in a single location). In addition to 1Password, information from services / apps like Gmail, Google Drive, Facebook, Twitter, Evernote, Pushbullet, Dropbox, WeChat, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and many others can also be stolen “easily”.

88.6% of the 1,612 (apps for) Mac and 200 apps for iOS were found "completely exposed" to the unauthorized access attack between apps (identified as XARA), allowing malicious apps to steal data safely.

Still according to the The Register, the failures were reported to Apple in October 2014. They then complied with Ma's request not to publish the information for six months. However, as the company has so far not fixed the problem and said nothing more about it, the researchers are publicly exposing the vulnerability.

Let's hope that everything is fixed as soon as possible!

(via MacRumors)

Update · 06/19/2015 s 21:40

An Apple spokesman gave the following statement to the website iMore:

Earlier this week, we implemented a security update for applications on our servers which protects application data and blocks apps with configuration problems sandbox on the Mac App Store. We have additional corrections in progress and are working with researchers to investigate the study's allegations.