security


'security' Articles

LastPass Working on Security Patch For Browser Extension Vulnerability

LastPass has advised all users of the password manager to launch sites directly from the LastPass vault and enable two-factor authentication wherever possible, until it addresses a vulnerability discovered in LastPass browser extensions. The client-side vulnerability, discovered by Google security researcher Tavis Ormandy, allows for an attack that is "unique and highly sophisticated", said LastPass in a blog post, without disclosing further details. Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way. pic.twitter.com/vQn20D9VCy— Tavis Ormandy (@taviso) March 25, 2017 Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.To secure sign-in credentials in the meantime, LastPass has recommended that users launch sites directly from the vault and make use of two-factor authentication on sites that offer it, while remaining vigilant to avoid phishing attempts. The news follows the discovery and successful patching of earlier remote code execution (RCE) vulnerabilities that could be used to steal passwords from extensions for Firefox, Chrome, Opera, and Edge. Safari was not mentioned in

Hackers Claim Access to 300 Million iCloud Accounts, Say Apple Refused to Pay $75,000 Ransom

A single hacker or group of hackers who have identified themselves as the "Turkish Crime Family" allegedly have access to at least 300 million iCloud accounts, but they are willing to delete the alleged cache of data if Apple pays a ransom by early next month, according to a report from Motherboard. The hackers have allegedly demanded $75,000 to be paid in cryptocurrencies Bitcoin or Ethereum, or $100,000 worth of iTunes gift cards, by April 7, or they will reset a number of the iCloud accounts and remotely wipe victims' Apple devices. The email accounts are said to include @icloud.com, @me.com, and @mac.com addresses. The report said that the hackers "provided screenshots of alleged emails between the group and members of Apple's security team," while the hackers also shared an unlinked YouTube video that seemingly shows proof of them accessing "an elderly woman's iCloud account" and "the ability to remotely wipe the device." If the screenshotted email is accurate, which it very well might not be, a member of Apple's security team turned down the ransom, noting that Apple does "not reward cyber criminals for breaking the law.""We firstly kindly request you to remove the video that you have uploaded on your YouTube channel as it's seeking unwanted attention, second of all we would like you to know that we do not reward cyber criminals for breaking the law," a message allegedly from a member of Apple's security team reads. (Motherboard only saw a screenshot of this message, and not the original). The alleged Apple team member then says archived communications

Researchers Uncover macOS and Safari Exploits at Pwn2Own 2017

The seventeenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, where researchers are competing in the 10th anniversary Pwn2Own computer hacking contest for over $1 million in prizes. Day one results have already been published over at the Zero Day Initiative website, with a couple of successful Mac-related exploits already appearing in the list of achievements. Independent hackers Samuel Groß and Niklas Baumstark landed a partial success and earned $28,000 after targeting Safari with an escalation to root on macOS, which allowed them to scroll a message on a MacBook Pro Touch Bar. In a partial win, Samuel Groß (@5aelo) and Niklas Baumstark (@_niklasb) earn some style points by leaving a special message on the touch bar of the Mac. They used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They still managed to earn $28,000 USD and 9 Master of Pwn points.Later in the day, Chaitin Security Research Lab also targeted Safari with an escalation to root on macOS, finding success using a total of six bugs in their exploit chain, including "an info disclosure in Safari, four type confusion bugs in the browser, and a UAF in WindowServer". The combined efforts earned the team $35,000. The participating teams earned a total of $233,000 in prizes on day one, including a leading $105,000 earned by Tencent Security, according to published details. Other software successfully targeted by contestants include Adobe Reader, Ubuntu Desktop,

Apple Hires iPhone Security Expert Jonathan Zdziarski

iPhone forensics expert, security researcher, and former jailbreak community developer Jonathan Zdziarski today announced he has accepted a position with Apple's Security Engineering and Architecture team. He did not reveal his official starting date or responsibilities at the company. I’m pleased to announce that I’ve accepted a position with Apple’s Security Engineering and Architecture team, and am very excited to be working with a group of like minded individuals so passionate about protecting the security and privacy of others. This decision marks the conclusion of what I feel has been a matter of conscience for me over time. Privacy is sacred; our digital lives can reveal so much about us – our interests, our deepest thoughts, and even who we love. I am thrilled to be working with such an exceptional group of people who share a passion to protect that.Zdziarski has provided input on a number of important iOS-related security matters over the years, ranging from Apple's high-profile battle with the FBI over unlocking an iPhone used by a shooter in the 2015 San Bernardino attack to smaller incidents such as a potential WhatsApp flaw uncovered last year. Zdziarski was known as "NerveGas" within the jailbreaking community. He was formerly part of both the iPhone Dev Team and Chronic Dev Team. Zdziarski used to be an active Twitter user, but it appears he has disabled his account recently, possibly due to his employment at

Adobe Issues Critical Security Update for Flash Player on Mac

Adobe this week released Flash Player version 24.0.0.221 to "address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," including Mac, Windows, Linux, and Chrome OS. Mac users with Flash Player version 24.0.0.194 or earlier installed should immediately update to the latest version using the built-in update mechanism. The update is also available from the Adobe Flash Player Download Center. Flash Player users who had enabled the option to "allow Adobe to install updates" will receive the update automatically. Likewise, Google Chrome will automatically update Flash Player to version 24.0.0.221. Select "About Google Chrome" under the Tools menu to verify the browser is up-to-date. Adobe said the critical security update resolves integer overflow, memory corruption, type confusion, heap buffer overflow, and use-after-free vulnerabilities that could lead to code execution. The vulnerabilities were reported by security teams from Google, Microsoft, Palo Alto Networks, and Trend Micro. Safari on macOS Sierra deactivates Flash by default, only turning on the plug-in when user requested. Chrome, Firefox, and most other modern web browsers also have web plug-in safeguards in place due to repeated security risks. Adobe has released fifteen Flash Player security updates over the past year. In 2010, Apple co-founder Steve Jobs shared his "Thoughts on Flash," in which he favored open web standards such as HTML5 over Adobe Flash. Jobs said Flash Player was "the number one reason Macs crash," while criticizing its

76 Popular Apps Vulnerable to Data Interception, Warns iOS Security Researcher

At least 76 popular iOS apps have been found to be vulnerable to data inception, according to a report from a security expert. The discovery was made by app binary code scanning service verify.ly and published in a Medium post by Sudo Security Group CEO Will Strafach, who revealed that the apps failed to make use of the Transport Layer Security protocol. The TLS protocol secures communication between client and server. Without the protection, the apps are susceptible to data interception by an attacker with access to custom hardware such as modified smartphone, which can be used to initiate TLS certificate injection attacks. The interception is possible regardless of whether the developers chose to use Apple networking security feature, App Transport Security. The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range. There is no possible fix to be made on Apple's side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.Apps in the vulnerable list included a number of

iPhone 7 Ousts Samsung Handset as 'Device of Choice' For U.K. Defense Officials [Updated]

The U.K.'s Ministry of Defense has chosen Apple's iPhone 7 over Samsung as the "device of choice" for its military personnel, according to a report by TechRepublic this week. Telecoms company BT is said to be working with the country's MoD to harden the security of the phone so that military officers can discuss and store sensitive information on the device. Steve Bunn, technical business manager for defense at BT, said the phone would eventually be capable of being switched between different modes depending on which security level was appropriate. Photo: Harland Quarrington/MOD "We've been working very closely with them to develop what we've commonly called a 'dual-persona device'. Essentially this means you can have voice at official and at secret."BT is also working with the MoD to create "secure storage containers" on the device to hold sensitive data, revealed Bunn. BT is said to have begun using a Samsung Note 4 to develop the bespoke military communications device, but testing quickly revealed that the security of the Android OS wasn't sufficient and the project was transferred to Apple's phone. Despite Apple's high-profile reputation for upholding iOS security standards, the MoD's switch to iPhone bucks a trend in the defense industry, which tends to prefer phones running Android because of the ease with which the operating system can be altered. As noted by TechRepublic, the GSMK CryptoPhone, which runs a heavily stripped-down version of Android, is currently in active use among military and security bodies around the world. Update: BT has since

Apple Says it Syncs Call Logs on iCloud As a 'Convenience to Customers' Amid Security Concerns

Earlier today, reports surfaced on The Intercept and Forbes claiming Apple "secretly" syncs Phone and FaceTime call history logs on iCloud, complete with phone numbers, dates and times, and duration. The info comes from Russian software firm Elcomsoft, which said the call history logs are stored for up to four months. Likewise, on iOS 10, Elcomsoft said incoming missed calls that are made through third-party VoIP apps using Apple's CallKit framework, such as Skype, WhatsApp, and Viber, also get synced to iCloud. The call logs have been collected since at least iOS 8.2, released in March 2015, so long as a user has iCloud enabled. Elcomsoft said the call logs are automatically synced, even if backups are turned off, with no way to opt out beyond disabling iCloud entirely.“You can only disable uploading/syncing notes, contacts, calendars and web history, but the calls are always there,” said Vladimir Katalov, CEO of Elcomsoft. "One way call logs will disappear from the cloud, is if a user deletes a particular call record from the log on their device; then it will also get deleted from their iCloud account during the next automatic synchronization.Given that Apple possesses the encryption keys to unlock an iCloud account for now, U.S. law enforcement agencies can obtain direct access to the logs with a court order. Worse, The Intercept claims the information could be exposed to hackers and anyone else who might be able to obtain a user's iCloud credentials. In some cases, hackers could access an iCloud account even without account credentials, such as by using

Adobe Flash on Mac Gets Second Critical Security Update in Just Two Weeks

Adobe for the second time this month has released Flash Player security updates to address critical vulnerabilities that could potentially allow an attacker to take control of Mac, Windows, Linux, and Chrome OS systems. Adobe gave the security fixes its highest severity rating, meaning users should immediately update to the latest Flash Player version through the built-in update mechanism, or by visiting the Adobe Flash Player Download Center. Adobe said the security updates resolve a use-after-free vulnerability that could lead to code execution, as discovered by Google's Threat Analysis Group. Adobe said it was aware of the exploit being used in "limited, targeted attacks" against users running Windows 7 or later only, but Mac users could still be affected and should update out of an abundance of caution. Affected versions of Flash Player for Mac: Adobe Flash Player version 23.0.0.185 and earlier Adobe Flash Player for Google Chrome version 23.0.0.185 and earlier Mac users running Flash Player 11.3.x or later who have selected the option to "allow Adobe to install updates" will receive the update automatically. Likewise, Google Chrome will automatically update Flash Player to version 23.0.0.205. Select "About Google Chrome" under the Tools menu to verify the browser is up-to-date. Safari on macOS Sierra deactivates Flash by default, only turning on the plug-in when user requested. Chrome, Firefox, and most other modern web browsers also have web plug-in safeguards in place due to repeated security risks. Adobe has released a dozen Flash Player security

Adobe Releases Critical Security Update for Flash Player on Mac

Adobe has released security updates for Flash Player that address critical vulnerabilities that could put Mac users at risk. Flash Player version 23.0.0.162 and earlier, Flash Player Extended Support Release version 18.0.0.375 and earlier, and Flash Player for Google Chrome version 23.0.0.162 and earlier are affected on macOS Sierra and OS X. Mac users should update to the latest Flash Player version through the built-in update mechanism, or by visiting the Adobe Flash Player Download Center. Mac users running Flash Player 11.3.x or later who have selected the option to "allow Adobe to install updates" will receive the update automatically. Likewise, Google Chrome will automatically update Flash Player to version 23.0.0.185. Safari on macOS Sierra deactivates Flash by default, only turning on the plug-in when user requested. Chrome, Firefox, and most other modern web browsers also have web plug-in safeguards in place due to repeated security risks. Similar critical security updates were issued in March, for example, while Adobe released an "emergency" Flash Player security update in April to address ransomware attacks affecting Flash-based advertisements on Mac and other platforms. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to decrypt it. These type of threats often display images or use voice-over techniques containing instructions on how to pay the ransom. The latest vulnerabilities, discovered by Palo Alto Networks, Trend Micro, Tencent, and other researchers, could lead to nondescript "code

macOS Sierra Addresses Dropbox Security Concerns by Explicitly Asking for Accessibility User Permission

Following Dropbox-related security concerns that surfaced earlier this month, developer Phil Stokes has confirmed that macOS Sierra now explicitly requires apps to ask for user permission to access Accessibility (via Daring Fireball). Users can give access to an app, or click "not now" to deny the request. Concerns were raised after it was demonstrated that Dropbox appears in System Preferences > Security & Privacy under Accessibility, despite the fact that users were never prompted to grant access to the features. More details can be found in our previous coverage and in a Dropbox support document.Let’s assume for the sake of argument that Dropbox never does any evil on your computer. It remains the fact that the Dropbox process has that ability. And that means, if Dropbox itself has a bug in it, it’s possible an attacker could take control of your computer by hijacking flaws in Dropbox’s code. Of course, that’s entirely theoretical, but all security risks are until someone exploits them. The essence of good computer security and indeed the very reason why OSX has these kinds of safeguards in place to begin with is that apps should not have permissions greater than those that they need to do their job.At the time, Dropbox said it was working with Apple to reduce its dependence on elevated access in macOS Sierra, and would respect when people disable the app's Accessibility permissions, but now a much-needed safeguard exists regardless. In a new blog post, Dropbox still recommends that Mac users running macOS Sierra update their Accessibility permissions, if

iOS Device Ransom Attacks Continue to Target Users in U.S. and Europe

A few years ago, a number of users in Australia were victimized by attackers remotely locking iPhones, iPads, and Macs using Find My iPhone on iCloud. Compromised devices typically displayed Russian ransom messages demanding payments of around $50 to $100 for the device to be unlocked. A ransom message targeting a Mac in 2014 with the common pseudonym "Oleg Pliss" At the time, IT security expert Troy Hunt noted that the attackers were likely using compromised emails and passwords exposed from various online security breaches to log in to iCloud accounts. AOL and eBay, for example, were among several high-profile companies that suffered data breaches in 2014. Apple later confirmed that iCloud was not compromised, and that the eventually-arrested attackers had instead gained access to Apple IDs and passwords through external sources. Russian website MKRU said the attackers obtained the credentials via phishing pages and social engineering techniques. Since then, CSO security blog Salted Hash has discovered that, since at least February of this year, these ransom attacks have returned and now target users in the U.S. and Europe. The methods used by attackers are said to be the same ones used in 2014, starting with a compromised Apple ID.It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim's device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it. In each of the cases reported publicly, the ransom demanded is usually

What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

Internet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers. What is Backdoor.MAC.Eleanor? Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter. What is EasyDoc Converter? "EasyDoc Converter.app" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store. The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts. How is Backdoor.MAC.Eleanor distributed? Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious

Google Simplifies 2-Step Verification Process With iOS Search App Prompt

Google is making the two-factor authentication process to log into a user account a simpler affair by integrating it into the company's iOS search app. Two-factor authentication adds an extra layer of security to users' Google Apps accounts by requiring them to enter a verification code in addition to their username and password when signing into their account. The two-step verification process prevents unauthorized access if someone obtains a user password. Previously, users had to opt to receive a text message or phone call to get an authentication code, or alternatively use the Google Authenticator mobile app, which generates time-limited numerical codes that users needed to enter into their account log-in page. The change, which is being rolled out from today, means that when a user tries to sign into a Google account with two-step verification enabled, a notification from the Google search app now asks if they are trying to sign in. A simple tap on the option "Yes, allow sign-in" quickly authenticates the account. To enable two-factor authentication, users need to sign into Google's My Account section and select Google prompt under Sign-in & Security -> Signing in to Google -> 2-Step Verification. Google notes that the option requires a data connection to work, and that it may take up to three days for the feature to appear across all account pages. The Google app is a free download for iPhone and iPad available on the App Store. [Direct Link]

Adobe Issues 'Emergency' Flash Player Security Update for OS X to Address Ransomware Attacks

Adobe has issued Flash Player security updates for OS X, Windows, Linux, and Chrome OS to address "critical vulnerabilities that could potentially allow an attacker to take control of the affected system" by way of ransomware. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to decrypt it. These type of threats often display images or use voice-over techniques containing instructions on how to pay the ransom. In this particular "CERBER" attack (via Reuters), affecting Flash-based advertisements, attackers have reportedly demanded between around $500 and $1,000, to retrieve the encrypted files. Adobe says it is aware of Windows 10 being "actively exploited" by this attack, but it is unclear if any Macs have actually been victimized. Just last month, popular BitTorrent client Transmission was temporarily infected with the first ransomware found on the Mac platform. Currently, all servers hosting these malvertisements are now inaccessible. Some reports mentioned that CERBER is being peddled in the Russian underground market as ransomware-as-service (RaaS). This not only proves the suggestion presented by the configuration file’s code above, but also confirms that we will be seeing more of CERBER in the near future.Adobe recommends that Flash Player users on Mac update to version 21.0.0.213 through the update mechanism within the software when prompted, or by visiting the Adobe Flash Player Download Center. Adobe Flash Player installations within Chrome, Microsoft Edge, and Internet Explorer for Windows 8.1 or later should

Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016

The sixteenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, and researchers participating in the Pwn2Own computer hacking contest have already discovered multiple vulnerabilities in OS X and the Safari web browser on the desktop. On day one of the event, independent security researcher JungHoon Lee earned $60,000 after exploiting both OS X and Safari. Lee uncovered four vulnerabilities in total, including one exploit in Safari and three other vulnerabilities within the OS X operating system, according to security firm Trend Micro.JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.Meanwhile, the report claims that the Tencent Security Team Shield group successfully executed code that enabled them to gain root privileges to Safari using "two use-after-free vulnerabilities," including one in Safari and the other in a "privileged process." The researchers were awarded $40,000 in prize money. The five participating teams earned a total of $282,500 in prizes on day one, including a leading $132,500 earned by the 360Vulcan Team, according to the report. Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows. Apple representatives have attended

Adobe Releases Flash Player Update for 'Critical' Security Vulnerability on Mac

Adobe has released security updates for Flash Player that address critical vulnerabilities that "could potentially allow an attacker to take control of the affected system." Adobe is aware of "limited, targeted attacks" on OS X, Windows, and Linux. Adobe lists the affected Flash Player and AIR versions in a security bulletin on its website. Mac or PC users running an affected version should immediately uninstall the web plugin or update their installation to the newest version outlined on Adobe's website. Apple blocks many older or vulnerable versions of web plugins from functioning, including Adobe Flash and Java, to help limit exposure to potential "zero day" exploits. The web plugins remain blocked in Safari until you install the latest updates. Chrome, Firefox, and most other modern web browser also have web plugin safeguards in place due to the high number of past security

Apple Acquired Firmware Security Company LegbaCore Last November

Apple acquired firmware security company LegbaCore in November 2015, according to security researcher Trammell Hudson, who revealed the acquisition in his presentation at the 32C3 conference in December. LegbaCore's goal, according to founder Xeno Kovah, is "to help build systems that are as secure as we know how to make." In November, Kovah and fellow LegbaCore founder Corey Kallenberg revealed that they had joined Apple as full-time employees. Just a couple days before that, LegbaCore's website announced that it would "not be accepting any new customer engagements", noting that the website would remain up "to serve as a reference for LegbaCore's past work." LegbaCore had collaborated with Hudson on Thunderstrike 2, the first firmware worm to affect Mac computers. The malware is impossible to remove, resistant to both firmware and software updates. LegbaCore and Hudson had alerted Apple to Thunderstrike 2's vulnerabilities and Apple began work on fixes, issuing one in June 2015. On Twitter, Kovah said that Apple began discussions with LegbaCore after the consultancy's presentation in summer 2015. It soon became clear to Kovah and Kallenberg that Apple had "some *very* interesting and highly impactful work" that the two could participate in. They were eventually convinced to wind down LegbaCore's existing contracts and begin work at Apple. What did Apple hire us to do? We can’t say. :) Well, we can probably say something like “low level security” (I don’t know our job titles)— Xeno Kovah (@XenoKovah) November 10, 2015 While LegbaCore is a security consultancy

Apple's Strict Bluetooth LE Security Requirements Slowing Rollout of HomeKit Accessories

While it has been more than a year since Apple launched HomeKit, a software framework for communicating with and controlling light bulbs, thermostats, door locks and other connected accessories in the home, only five HomeKit-approved products have been released to date: the Ecobee3, Elgato Eve, iHome iSP5 SmartPlug, Insteon Hub and Lutron Caseta Wireless Lighting Starter Kit. The slow rollout of HomeKit-enabled hardware accessories is not because of a lack of interest in the platform, but rather Apple's strict security requirements for Bluetooth LE (low energy) devices, according to Forbes. In particular, the strong level of encryption required to use the HomeKit protocol through Bluetooth LE has resulted in lag times that essentially render some accessories useless.For example, a smartlock that makes its user wait 40 seconds before it opens is clearly inferior to a traditional lock. One of HomeKit’s selling point is that it provides a more reliable user experience, so these kinds of lag times will need to be sorted out before Apple can become a major platform for the smart home. Elgato Eve smart home sensors for doors, windows and energy consumption Chipmakers such as Broadcom and Marvell have reportedly been working to improve their Bluetooth LE chips to more effectively handle Apple's level of encryption, an important step if the company wants to become a major player in the smart home. In the meantime, developers have either been focusing on Wi-Fi-based HomeKit hardware or working on temporary solutions to the problem.For the time being, Elgato has found a

iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

A team of six researchers from Indiana University, Georgia Tech and Peking University have published an in-depth report exposing a series of security vulnerabilities that enable sandboxed malicious apps, approved on the App Store, to gain unauthorized access to sensitive data stored in other apps, including iCloud passwords and authentication tokens, Google Chrome saved web passwords and more. The thirteen-page research paper "Unauthorized Cross-App Resource Access on Mac OS X and iOS" details that inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits."We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."The different cross-app and communication mechanism vulnerabilities discovered on iOS and OS X, identified as XARA weaknesses, include Keychain password stealing, IPC interception, scheme hijacking and container cracking. The affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others. Lead researcher Luyi Xing told The