OS X and iOS 'XARA' Security Flaws Allow Attackers to Steal Saved Passwords

Advertisement
By NDTV Correspondent | Updated: 18 June 2015 16:36 IST
OS X and iOS 'XARA' Security Flaws Allow Attackers to Steal Saved Passwords
A team of security researchers has released information detailing a combination of exploits that would allow anyone to steal passwords that a user has stored in his or her iCloud Keychain and intercept data being shared between apps. The flaws relate to unauthorised cross-app resource access (XARA) as a result of using inadequately secure coding techniques, and affect both iOS and OS X.

The six researchers say they informed Apple of the problem six months ago and are releasing the information now because no fix has been forthcoming despite promises from the company and at least some contact during that time. It is extremely likely that attackers will jump at the opportunity to use this information to craft deadly and undetectable new ways of stealing passwords and other sensitive data.

As reported by The Register, the team was able to demonstrate working attacks that involved submitting apps to the Apple App Store, in which code designed to exploit the weakness was not detected. They were then able to steal passwords including those to email accounts.

According to the team, 1,612 popular apps were tested and 88.6 percent of them were found to be vulnerable to XARA attacks. Google Chrome, Facebook, WeChat and Evernote were amongst the popular apps specifically named by the team, to which they were able to gain access because of insecure cross-app sharing mechanisms. Even banking sites visited from within Chrome could be broken into once credentials were stolen.

Details are available in the paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS, which has been published online for anyone to see.Videos demonstrating potential attacks have also been uploaded to YouTube. According to the team, Apple had asked for six months' time to issue a fix, but despite there being some evidence that the company has been tweaking its security mechanisms, there has been no concrete solution. App developers will also have to make sure they are using best practices in order to keep users safe.

Advertisement

Apple is widely known for restricting apps on its platforms, especially the way they communicate with each other, in order to make sure there are secure barriers between them. Some of the flaws collectively being referred to as XARA also affect other platforms, particularly those on which URL schemes and HTML5 WebSockets are used to pass information between apps.

 
Post your comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Apple, OS X, XARA, hack, iCloud, iCloud Keychain, iOS, passwords, security, security flaw, security vulnerability, sensitive information
Vu Launches 'Made for TV' TViST Speakers
Google Unveils Nest Cam Security Camera, Upgraded Nest Protect Smoke Detector
Advertisement

Related Stories

WWDC 2025: Xcode 26 Adds ChatGPT Integration, Support for Other AI Models
10 June 2025
iPadOS 26 Brings Improved Multitasking With New Windowing System, Menu Bar, and More
10 June 2025
WWDC 2025: visionOS 26 Announced With Improvements to Personas and New Spatial Features
10 June 2025
WWDC 2025: Apple Announces tvOS 26 With Liquid Glass Design, Personalised FaceTime Experience, and More
10 June 2025
iOS 26 and iPadOS 26 Drop Support for Three Older Devices: Check If Yours Made the Cut
10 June 2025
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Android 16 Update Is Coming Soon - Here's What to Expect
  2. Realme Announces Limited-Time Discounts on Realme GT 7 Series in India
  3. Motorola Edge 60 With 5,500mAh Battery Launched in India: Price, Offers
  4. iOS 26, iPadOS 26 Are Compatible With These iPhone and iPad Models
  5. Apple Announces iOS 26 With Liquid Glass Design, These New Features
  6. Nothing Phone 3 Leaked Render Suggests Design, Triple Rear Camera Unit
#Latest Stories
  1. Latest Windows 11 Insider Preview Lets You Try a New Start Menu With Scrollable Interface, More Features
  2. Vodafone Idea (Vi) Announces Rollout of 5G Services in Bengaluru
  3. Android 16 Update Release Date, Eligible Devices and What to Expect
  4. Realme GT 7, Realme GT 7T Get Up to Rs. 6,000 Discount for a Limited Time in India
  5. Nothing Phone 3 Leaked Render Suggests Transparent Back Panel, Triple Rear Cameras, No Glyph Interface
  6. ChatGPT Down: Thousands of Users Report Problems While Generating Responses, Video Generation on Sora
  7. Hollow Knight: Silksong Will Release Before Holiday 2025, Not Tied to Xbox Ally Launch, Developer Says
  8. Samsung Galaxy S25 Ultra Allegedly Saves Life by Stopping Shrapnel; Samsung Offers Free Repair
  9. WWDC 2025: Xcode 26 Adds ChatGPT Integration, Support for Other AI Models
  10. Vivo Y400 Pro Design, Key Specifications Leaked; Tipped to Get Dimensity 7300 SoC, 5,500mAh Battery
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.