![]() Malicious app then adds the keys back to the keychain without the values, and adds itself and the benign app to the keys’ Access Control List (ACL), allowing the malicious app to read whatever secrets the benign app later writes to those keys.Īt this point, we could breathe a sigh of relief: Access Control Lists only exist on Mac OS X - not iOS - so despite the headlines, our applications were not vulnerable to an attack.Malicious app deletes the keys written by the benign apps.The malicious app can see that the keys exist, but can’t read the associated secret values. Malicious app searches the Keychain for keys written by benign apps.We found that the attack worked as follows: When we became aware of the vulnerability a little after 8am PDT, we immediately opened up the paper describing the attack. If the article’s assertions were correct, the world was on fire. ![]() ![]() Security is always our first priority, and we took these claims very seriously. At Square, we write iOS code that moves money. The article claimed that data written to the keychain could be read by a malicious application. ![]() On June 17th, The Register reported that there was a zero-day vulnerability in the iOS and OS X Keychain that compromised secure data stored in the Keychain. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |