Xara vulnerability, stealing passwords in OS X And ​​iOS

XARA2

What is XARA?

IT security researchers released information detailing the combination of exploits that would allow someone to steal passwords of user in his ICloud keychain and intercept data shared between applications. Disadvantages associated with unauthorized access of resources of cross-application. This is referred as XARA (Cross-app Resource Attack) as a result of the use of adequately secure coding techniques that affect both the iOS and OS X. A team of Six researchers belongs to Indiana University have reported on Apple’s problem six months ago and also a Whitepaper , and release the information now, because Apple did not correct the problem despite the promises of the company. It is very likely that the attackers will jump at the chance to use this information for making deadly and discover new ways to steal passwords and other sensitive data.

According to The Register, the team was able to demonstrate the performance of attack that involved the application submitted to the Apple App Store, which code to use the weakness was not revealed. They were then able to steal passwords, including the e-mail accounts. According to the team, 1612 popular apps have been tested and proved to be vulnerable to attack Xara 88.6 percent of them. Google Chrome, Facebook, WeChat and Evernote were among the most popular applications, specifically called the team to which they were able to get access due to unsafe sharing mechanisms of cross-applications. Even banking sites visited from inside Chrome can be broken at one time had been stolen credentials.

A group of researchers from the Indiana University say they have found several vulnerabilities in both of the Apple OS X, and the IOS, and perhaps more disturbing, life cracks keychain, which the company uses to applications and their sandboxes on OS X. A series of weak vulnerability authentication, application-to-application fault. When strung together, the questions could be used to use Apple’s, applications and ICloud steal passwords, authentication tokens, and saved web passwords in Google Chrome, researchers warned in an academic paper published Wednesday. Students who work in the security IU lab, collectively refer to as the weaknesses of unauthorized access to the resources of cross-application, or Xara, in the article “Cross-App Unauthorized access to resources on the MAC OS X and IOS.” Weaknesses could make it so if a malicious application sandbox, already checked Apple’s, was present on the machine, it can gain access to confidential data of other applications.

Screen-Shot-2015-06-18-at-23.47.23

Whereas Xing media claimed the researchers release their tools to the public later this year through its demo site. In their paper, the researchers argue that the application can collect data from applications such as Dropbox, Facebook and Evernote, along with WeChat messaging app, and even vaulted passwords 1Password. The problem stems from the weak and defective access control list (ACL) and the implementation of tasks in the sphere of interaction between service applications such as stick, the WebSocket on OS X, and URL-scheme on the IOS and OS X, according to the researchers. As a result, the application can delete arbitrary recording isolated Keychain recreate them using ACL, in turn, enables them to read the keys and values. Malicious applications the researchers have come up with can be removed and re Keychain elements, which means it can add yourself and the target application to the ACL. When users are asked to update their credentials, they will unconsciously keep it as a keychain item created by malicious software.

How To Prevent XARA vulnerabilities On Mac OS X

Apple has acknowledgement about Xara vulnerabilities since several months, and according to the researchers the company does not seem to have fix it after tried several times. However, to avoid the vulnerabilities and use of effective security application is relatively simple, the fact revealed by researchers at the security point. How to avoid malicious applications can be done by downloading the software from a trusted developer, and avoid anything that seems suspicious.

Leave a Reply

Your email address will not be published. Required fields are marked *