Security researchers have revealed a major zero-day security vulnerability that enables hackers to easily steal all Keychain and app passwords on Apple's iOS and OS X operating systems without being detected.
The security flaws, known as cross-app resource access attacks, or XARA, affect all Apple mobile devices and all Macs and MacBooks, as the Keychain service is used to store passwords, and the flaw means confidential data on apps such as Facebook, Evernote and WeChat can easily be stolen.
Even worse, the security flaws were reported to Apple in October 2014 and an advance copy of the research paper was sent to Apple as requested in February, and yet the flaws remain in the latest versions of both operating systems.
Researchers from Indiana University, Peking University and the Georgia Institute of Technology told The Register that Apple asked them to give it six months to fix the problem before publishing their research but they had still not heard back.
Malicious apps passed Apple's vetting process
"We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps," lead researcher Luyi Xing of Indiana University said.
"Our malicious apps successfully went through Apple's vetting process and was published on Apple's Mac app store and iOS app store."
Using a sandboxed app, the researchers were also able to steal sensitive banking login credentials, secret iCloud tokens and passwords from password vaults from the Google Chrome web browser on a Mac running the latest OS X 10.10.3.
"We are the first to identify the generality of the XARA problem and systematically investigate the threat on the Apple platforms," the researchers wrote in the report.
"The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (eg passwords) to a malicious app even when it is sandboxed. Such findings, which we believe are just a tip of the iceberg, will certainly inspire the follow-up research on other XARA hazards across platforms."
Automated defence technology is needed
Security experts are warning that companies such as Apple need to start amping up their security and perhaps look into automated defence technology that can automatically spot security flaws.
"The real concern is that when a flaw is detected, organisations are under pressure to enforce reactive measures – a mere sticking plaster on the initial problem," Kane Hardy, VP for EMEA at Hexis Cyber Solutions told IBTimes UK.
"For all organisations, zero-day flaws should serve as a wake up call to implement automated defence technology that ensures damage can be mitigated before it even occurs. This is the next generation in cyber defence – a solution that dramatically reduces the risk associated with inherent IT infrastructure weakness.
"It's important to remember that cyber-criminals are always on the lookout for methods to sneak around security options or discover loopholes in systems that are commonly used by consumers and corporations alike. The danger is that such vulnerabilities can quickly be developed into weapons that effectively subvert targeted systems, so organisations need to remain on the front foot."
IBTimes UK has contacted Apple and is waiting for a response.