“A security flaw in iOS devices that went largely unreported after it was revealed to have been fixed had the potential to be one of the most damaging security vulnerabilities this year,” Zack Whittaker reports for ZDNet.
“The bug exploited a flaw in how Apple’s iCloud Keychain synchronizes sensitive data across devices, like passwords and credit cards on file, which — if exploited — could’ve let a sophisticated attacker steal every secret stored on an iPhone, iPad, or Mac,” Whittaker reports. “‘The bug we found is exactly the kind of bug law enforcement or intelligence would look for in an end-to-end encryption system,’ said Alex Radocea, co-founder of Longterm Security.”
“It’s all because of a flaw in how iCloud Keychain verified device keys, which Radocea was able to bypass… There are caveats to the attack, said Radocea, indicating that not anyone can carry out this kind of attack. It takes work, and effort, and the right circumstances,” Whittaker reports. “‘With the bug I couldn’t go ahead and steal whoever’s iCloud Keychain just by knowing their account name. I would also need access to their iCloud account somehow,’ he said… Apple released a fix in March, with iOS 10.3 and macOS Sierra 10.12.4.”
Read more in the full article here.
MacDailyNews Take: Yet another example of why you should never reuse passwords – use unique passwords everywhere – and why you should always keep your operating systems up-to-date!
A comprehensive guide to Apple’s very useful iCloud Keychain – January 4, 2017
7 password experts explain how to lock down your online security – May 5, 2016
Why a strong password doesn’t help as much as a unique one – July 22, 2015
Apple releases iOS 10.3, watchOS 3.2, and tvOS 10.2 – March 27, 2017
Apple releases macOS Sierra 10.12.4 – March 27, 2017