OS X and iOS 'XARA' Security Flaws Allow Attackers to Steal Saved Passwords

Advertisement
By NDTV Correspondent | Updated: 18 June 2015 16:36 IST
A team of security researchers has released information detailing a combination of exploits that would allow anyone to steal passwords that a user has stored in his or her iCloud Keychain and intercept data being shared between apps. The flaws relate to unauthorised cross-app resource access (XARA) as a result of using inadequately secure coding techniques, and affect both iOS and OS X.

The six researchers say they informed Apple of the problem six months ago and are releasing the information now because no fix has been forthcoming despite promises from the company and at least some contact during that time. It is extremely likely that attackers will jump at the opportunity to use this information to craft deadly and undetectable new ways of stealing passwords and other sensitive data.

As reported by The Register, the team was able to demonstrate working attacks that involved submitting apps to the Apple App Store, in which code designed to exploit the weakness was not detected. They were then able to steal passwords including those to email accounts.

According to the team, 1,612 popular apps were tested and 88.6 percent of them were found to be vulnerable to XARA attacks. Google Chrome, Facebook, WeChat and Evernote were amongst the popular apps specifically named by the team, to which they were able to gain access because of insecure cross-app sharing mechanisms. Even banking sites visited from within Chrome could be broken into once credentials were stolen.

Advertisement

Details are available in the paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS, which has been published online for anyone to see.Videos demonstrating potential attacks have also been uploaded to YouTube. According to the team, Apple had asked for six months' time to issue a fix, but despite there being some evidence that the company has been tweaking its security mechanisms, there has been no concrete solution. App developers will also have to make sure they are using best practices in order to keep users safe.

Advertisement

Apple is widely known for restricting apps on its platforms, especially the way they communicate with each other, in order to make sure there are secure barriers between them. Some of the flaws collectively being referred to as XARA also affect other platforms, particularly those on which URL schemes and HTML5 WebSockets are used to pass information between apps.

 
Post your comments

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Apple, OS X, XARA, hack, iCloud, iCloud Keychain, iOS, passwords, security, security flaw, security vulnerability, sensitive information
Vu Launches 'Made for TV' TViST Speakers
Google Unveils Nest Cam Security Camera, Upgraded Nest Protect Smoke Detector
Advertisement

Related Stories

Apple Arcade’s March Update Brings Oceanhorn 3: Legend of the Shadow Sea and Other Titles
11 February 2026
Google Pixel 10a Store Page Suggests FaceTime Compatibility for iPhone Switchers: Here's What It Means
11 February 2026
iPhone 18 Pro Series Said to Launch at Last Year's Prices Despite Rising Component Costs
11 February 2026
Apple, Google Make Four Commitments to Improve Fairness and Transparency in App Stores
11 February 2026
Apple's Next AirPods Pro Model Tipped to Feature Cameras, Could Launch Without Price Hike
10 February 2026
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. iPhone 18 Pro Series May Arrive at Same Price Despite Rising Memory Costs
  2. Nvidia GeForce Now for India Hands-On: Built to Impress
  3. Google Pixel 10a Listed on Retailer Websites With Pricing, Colour Options
  4. Samsung Announces Galaxy S26 Series Launch Date as Pre-Reservations Begin
  5. Motorola Edge 70 Fusion Renders Leaked Again: See Design and Colourways
  6. Infinix's Note 60 Lineup Will Feature Snapdragon Chips on Select Models
  7. Samsung Galaxy S26 Series Pricing, Specs Leak As Galaxy Unpacked Nears
  8. Google Maps' New AI Feature Could Let You Chat About Places and Routes
  9. MeitY Amends IT Rules to Regulate AI Content and Deepfakes
  10. Leaked Live Images of the Oppo Find X9 Ultra Offer a Peek at Its Cameras
#Latest Stories
  1. Nothing Phone 4a Pro Inches Closer to Launch as Smartphone Surfaces on UAE's TDRA Certification Database
  2. Infinix Will Equip Select Note 60 Series Models With Snapdragon Chips for the First Time
  3. Battlefield 6 Season 2 Content and Gameplay Improvements Teased Ahead of Launch
  4. Motorola Edge 70 Fusion Design, Colourways Spotted in Leaked Renders and Marketing Images
  5. Airtel Unveils AI-Powered System Designed to Warn Users About OTP-Related Bank Frauds
  6. Apple Arcade’s March Update Brings Oceanhorn 3: Legend of the Shadow Sea and Other Titles
  7. Oppo Find X9 Ultra Spotted in Live Images That Offer a Sneak Peek at Its Rear Camera Layout
  8. Zeiss Launches Aatma Lenses in India With Retro Design, Up to 135mm Focal Length: Availability, Features
  9. MeitY Notifies Fresh IT Rules to Regulate AI-Generated Content, Deepfakes on Social Media Platforms
  10. Google Pixel 10a Store Page Suggests FaceTime Compatibility for iPhone Switchers: Here's What It Means
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.