Critical SwiftKey and Zero-Day vulnerabilities reported in Samsung and Apple accordingly

Two massive security flaws have been found in Apple and Android products that could enable hackers to grab your data and private information.

The first vulnerability is a zero-day alike bug in OS X and iOS that enables the hackers to steal both application passwords and Keychain (the password manager). The vulnerability, initially got disclosed in form of an academic paper released by a group of researchers from Georgia Institute of Technology (commonly known as Georgia Tech), Peking University and Indiana University, spotted a flaw in the latest OS versions of Apple that allows an application to download from Apple app store for gaining illegal access to different applications.

The researcher wrote, “More specifically, we found that the inter-app interaction services, including the keychain…can be exploited…to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote.”

The Register initially published the news of this research, which stated that Apple was firstly informed in Oct 2014 and then Feb 2015 – the firm asked experts to hold off the secret for 6 months.

The team went through tests to back all of their findings, Apple app store’s restrictive security checks were successfully circumvented – and in last June the app store even permitted their malicious applications. The researchers claim, almost 80% of the applications were totally vulnerable to the attacks.

The Register wrote, “The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults. Google’s Chromium security team was more responsive and removed Keychain integration for Chrome noting that it could likely not be solved at the application level. AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware ‘work harder’ some four months after disclosure.”

Ben Lovejoy from 9to5mac.com writes, “For now, the best advice would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores – and to be alert to any occasion where you are asked to login manually when that login is usually done by Keychain.”

Vulnerability in Samsung Keyboard

On the other hand, NowSecure’s researchers revealed they had found a major flaw in a 3rd party keyboard application that is already installed on over 600 million smartphones of Samsung – latest Galaxy S6 is no exception. The security flaw enables hackers to remotely get access to camera, GPS, microphone, outgoing messages, incoming messages, secretly install malware, pictures and voice calls.

Switch Keyboard is the application that’s having security bug causing all the problems and a privileged account on Samsung mobiles is needed to run the app, explained Ryan Welton. To exploit the vulnerability hackers need to control or compromise the network to whom the mobile is connected, just like a local network or wifi hotspot.

Welton wrote in an article about this vulnerability, which was initially revealed on Tuesday at Black Hat London, “This means that the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root.”

He added, “While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”

A list of Samsung mobiles indexed by patch status and their private carrier has been released by NowSecure.

As any other company on such incidents might have said, a statement from Samsung were released claiming that the company takes concrete measure against these security threats.

Samsung said, “Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

A statement released by Swiftkey suggests that just this week the firm got to know about the flaw, and its own keywords apps being featured on Apple and Google app stores are not effected from the glitch. SwiftKey wrote in a blog post, “We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”

Top/Featured Image: mahmoud99725 / Flickr

COMMENTS

WORDPRESS: 1
  • Megan 1 year

    Hi, I’m Megan and I work for AgileBits, the makers of 1Password.

    For our security expert’s thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we’d love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.

  • DISQUS: 0

    Critical SwiftKey and Zero-Day vulnerabilities reported in Samsung and…

    by Stella Strouvali time to read: 3 min
    1