iCloud vulnerabilities
In fact 2017 was quite a busy year for Apple: it had to patch 62 vulnerabilities involving iCloud in some way, which equates to only one issue appearing in the CVE database. Denial-of-service attacks are clearly the more widespread vulnerability since of the total of 63 issues, 82.5% (52) allowed attackers to execute arbitrary code or cause denial of service (memory corruption and application crash) via a crafted website. Some of these issues were severe, with a ranking vulnerability score of 9.3. In particular these problems, which were reported in July 2017, involved WebKit on iOS before 10.3.3, Safari before 10.1.2, iCloud before 6.2.2 on Windows, iTunes before 12.6.2 on Windows, and tvOS before 10.2.2.
iCloud Keychain vulnerability
What has really raised eyebrows, however, is the issue involving the Keychain component. Some may already use Keychain or know that Apple lets users store their passwords and credit card details along with other information in Keychain Access, an app stored locally on the computer. If users have multiple devices, they can choose to synchronize passwords across all devices with iCloud Keychain. That, in theory, is supposed to be secure, as the data in iCloud Keychain is protected by encryption.
As discovered by Alex Radocea of Longterm Security Inc., however, a security flaw in iCloud Keychain failed to validate the authenticity of OTR packets. This issue allowed an attacker – able to intercept TLS connections – to read secrets protected by iCloud’s Keychain.
But actually this wasn’t the first security flaw affecting iCloud Keychain: in 2015 security researchers discovered two others:
- CVE-2015-5836: Apple Online Store Kit in Apple macOS before 10.11 improperly validates iCloud keychain item ACLs, allowing attackers to obtain access to keychain items.
- CVE-2015-1065: Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple macOS through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code.
Apple addressed every bug reported by security researchers and credited them for highlighting the issues.
More recently, in the fall of 2017, the launch of macOS High Sierra was overshadowed by a zero-day security flaw discovered in Keychain, the password manager of macOS. The code Wardle executed through an unsigned app he developed was able to retrieve passwords saved in Keychain in plane text, without requiring the admin password as it should.
Password managers prone to security flaws
We don’t read about security flaws related to Apple too often. There is one thing that needs to be kept in mind, though: the software is created by humans and even with the best developers in the team there is a slight chance that a bug can slip through.
The same goes for password managers. There was much buzz around the security flaws discovered in the most popular of these, including but not limited to LastPass and 1Password. But that doesn’t mean you should stop using them. It can be done, of course, on pen and paper, but that feels like living in the 19th century. What you can do to address such issues is to use the service wisely – since no software is hacker-proof – and keep an eye on any communications from the developers. If they fail to communicate with the users in cases of a security flaw or don’t patch the flaw quickly, then that’s a good sign that you need to change your password manager.
István F.
Adam B.
User feedback