Categories: Breaking NewsHacking

XARA data stealing flaws affect Apple iOS, OSX

A team of researchers from Indiana University discovered a number of XARA vulnerabilities in both Apple’s OS X and iOS that allows Apple Keychain crack.

A team of researchers from Indiana University (Luyi Xing, Xialong Bai, XiaoFeng Wang, and Kai Chen lead by Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology) discovered a number of vulnerabilities in both Apple’s OS X and iOS, by exploiting one of them they succeeded in cracking of the Apple Keychain service.

The vulnerabilities are mainly related to the weak authentication implementation that could allow an attacker to steal authentication tokens, iCloud passwords, and user password saved on Google Chrome. The researchers classified the weaknesses as unauthorized cross-app resource access (XARA) and documented them in a study titled “Unauthorized Cross-App Resource Access on MAC OS X and iOS.”

The researchers discovered security issues related to the access-control list (ACL) implementation and problems in inter-app interaction services like Keychain, WebSocket on OS X, and URL Scheme on OS X and iOS. In short words, an attacker can exploit the flaws to modify Keychain entries to allow apps to perform several operations.

“An app within the sandbox has only limited privileges. By default, it can only read and write files within its container and some public directories. This policy is enforced by checking the developer’s signature on the app against an access-control list (ACL) associated with each directory (see Section 3.2). Also, it is not allowed to access network sockets, built-in camera, microphone, printer and other resources. Whenever use of such resources becomes necessary, the app explicitly requires them by declaring a set of entitlements within its property file (called plist file, very much like the Android manifest file)” reads the paper.

Due to the presence of the flaws, a sandboxed malicious app installed in the Apple system could gain access to sensitive data managed by other mobile apps. The researchers claim that the app can steal data from popular mobile apps like Facebook and Dropbox, the team also explained that they were able to steal information from the messaging app WeChat and even vaulted passwords from 1Password.

“Looking into the root cause of those security flaws, we found that in the most cases, neither the OS nor the vulnerable app properly authenticates the party it interacts with,” the paper says. 

The researchers designed a tool for automatically inspecting the source of the mobile apps and verify the presence of XARA flaws.

“To understand the scope and magnitude of this new XARA threat, we developed an analyzer for automatically inspecting Apple apps’ binaries to determine their susceptibility to the XARA threat, that is, whether they perform security checks when using vulnerable resource-sharing mechanisms and IPC channels, a necessary step that has never been made clear by Apple. “

The researchers published a video PoC demo to demonstrate how to steal an iCloud token from the Keychain:PoC demo to demonstrate how to steal an iCloud token from the Keychain:

The researchers highlighted the existence of another XARA weakness in the unique BID-based separation design in OS X that could be exploited for “container cracking.”

When apps’ container directories are disclosed, it makes it easy for other apps find them, and in turn, easy to hijack information from sandboxed apps like Evernote, Tumblr, and WeChat.

“Once the attack app is launched, whenever the OS finds out that the container directory bearing the sub-target’s BID (as its name) already exists, the sub-target is automatically added onto the directory’s ACL. As a result, the malicious app gains the full access to other apps’ containers, which completely breaks its sandbox confinement.”

Apple was informed of the XARA issues in October  and is still working to fix the issue, the researchers claim the only the iCloud issue appears to have been resolved.

Pierluigi Paganini

(Security Affairs – Apple, XARA vulnerabilities)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

8 seconds ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.