1 min read

Security bug allows hackers to bypass encryption, intercept iCloud Keychain

Luana PASCU

July 25, 2017

Security bug allows hackers to bypass encryption, intercept iCloud Keychain

Password security is vital but way too often neglected. And the problem comes not from unaware users who keep reusing weak passwords – it also comes from manufacturers who don”t focus enough on security flaws and vulnerabilities in their products.

Who would have thought an unreported flaw in iCloud Keychain would expose passwords and credit card data to hackers? And if that wasn”t bad enough, an attacker could have easily bypassed encryption and access all the data stored on Apple gadgets, found a researcher from security consulting company Longterm Security.

“While reviewing attack surfaces on iOS for potential sandbox escapes, we uncovered a critical flaw in a custom Off-The-Record implementation relied upon by iCloud Keychain Sync in addition to a memory trespass error (CVE-2017–2451),” explains Longterm Security co-founder Alex Radocea, who will give a full presentation on the issue at BlackHat USA.

According to Radocea, the bug is what authorities are regularly investigating in end-to-end encryption because it allows hackers to weaken the structure and intercept all data sent from the device.

Apple introduced iCloud Keychain with iOS7 to make it easier for users to sync their passwords and credit card numbers on all devices. Even if a device is lost, the data can be restored through the iCloud Keychain Recovery mechanism.

Prior to this discovery, iCloud Keychain was viewed as one of the safest password sharing tools due to its end-to-end encryption, but “the flaw undermined that end-to-end encryption capability and could have allowed a privileged attacker to steal user keychain secrets.”

Apple covered the unreported flaw in its recent security update piece, ensuring customers they have already investigated the matter which was fixed through Apple”s release of iOS 10.3.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read