Vulnerability in Mac’s passwords
A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps.
That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything.
Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could “cross over” into other apps.
The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them.
They also found an issue with the way Apple categorizes Mac programs with a unique ID, called a BID. Hackers could assign an email app’s BID to a piece of malware, then get scooped up into a “trusted” group of programs.
The Indiana University team analyzed the top 1,612 Mac apps, and found that 89% of them were susceptible to these kinds of attacks.
To prove that a hacker could pull off the attack, the research team sneaked a malicious app capable of stealing passwords into Apple’s heavily guarded App Store. The malware was disguised as a daily-gag-delivering app called “Joke Everyday.”