Six university researchers from Indiana University have revealed four vulnerabilities affecting Apple OS X and iOS. Dubbed as XARA for “cross-app resource attacks”, the in depth report can be found in a whitepaper released on Wednesday.
These vulnerabilities claim to crack Apple’s password-storing keychain, break app sandboxes, and bypass App Store security checks. If successfully exploited, they could allow attackers to steal passwords, authentication tokens and other credentials from users.
The vulnerabilities can be summarized as:
1. Password stealing vulnerability
Allows a malicious app to steal the credentials that the user has entered in to the keychain when the user accesses the affected app.
2. Container Cracking
Allows a malicious app to gain access to the secure container belonging to another app and steal data from it.
3. IPC Interception
Allows a malicious app to claim the network port used by a legitimate application and intercept data intended for it, such as password or other sensitive information.
4. Scheme Hijacking
Allows a malicious app to steal access tokens and passwords.