Apple Patches iOS Vulnerability

Wednesday, July 26, 2017 @ 10:07 AM gHale


Apple mitigated a vulnerability in iOS 10.3 that would have allowed hackers to access information including users’ passwords and credit cards.

The vulnerability was in the iCloud Keychain Sync’s custom Off-The-Record (OTR) system, said researchers at Security firm Longterm Security.

RELATED STORIES
Apple Clears OS Vulnerabilities
Apple Cleanse: App Store Clean Out
Apple Releases Security Updates
OSX Malware Pilfers Data

iCloud Keychan is a feature that allows Apple users to have their private information synced across multiple devices, including but not limited to passwords and credit cards.

Apple’s system uses key verifications to transfer data from one device to another securely, but using a man-in-the-middle attack, hackers could have been able to bypass the process and intercept traffic sent by configured devices, said Longterm Security co-founder Alex Radocea in a blog post.

This means data stored in the iCloud Keychain would have become available in plain text, without users even being aware of it, as no devices were being added and no notifications were sent.

While the flaw itself has already been patched by Apple in the latest iOS update, the security researcher warns that passwords need proper security, especially because this has become “critical in the real world.”

“Besides well-funded adversaries who might be interested in iCloud Keychains, there are opportunistic attackers and criminals looking to leverage and monetize leaked password dumps in any way they can think up,” Radocea said. “They represent an immediate and constant threat to iCloud as well as any other cloud service. Passwords alone would be fairly risky when storing a trove of user data including credit card numbers.

Apple users should update their devices as soon as possible, with iOS 10.3 currently available via Settings > General > Software Update on iPhones and iPads. It’s believed all the other iOS versions are vulnerable to attacks and are exposing users’ data, so updating is critical to keep data secure.



Leave a Reply

You must be logged in to post a comment.