NEW YORK (CNNMoney) — Apple claims that its “Keychain” software lets people securely store their passwords on their Macs. As it turns out, hackers can pull the keys off the chain.
A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps.
That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything.
Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could “cross over” into other apps.
The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them.
They also found an issue with the way Apple categorizes Mac programs with a unique ID, called a BID. Hackers could assign an email app’s BID to a piece of malware, then get scooped up into a “trusted” group of programs.
The Indiana University team analyzed the top 1,612 Mac apps, and found that 89% of them were susceptible to these kinds of attacks.
To prove that a hacker could pull off the attack, the research team sneaked a malicious app capable of stealing passwords into Apple’s heavily guarded App Store. The malware was disguised as a daily-gag-delivering app called “Joke Everyday.”
Apple did not respond with a comment on Tuesday.
However, people familiar with the company’s practices said that Apple is working on restructuring how its Mac OS X operating system separates apps. But they say that would be a laborious process, requiring all independent Apple developers to establish new security measures and update every app.
Fixing the Keychain will be even more difficult, that person said. Apple is also improving how it reviews incoming new programs to its App Store.
The research team said it went public with its findings on Tuesday, because Apple took too long to fix it. They initially notified the company in October. Apple tweaked its operating system in January, they said, but the supposed fix didn’t actually solve the problem.
Fast-forward to June, and there’s still no solution.
“All these things are very serious,” Wang said. “If we continued to keep silent, it’s unfair to Apple users. It’s very likely someone already knew this hack.”
When researchers find dangerous computer bugs, Apple’s policy is to communicate with them sparsely and quietly fix things behind closed doors. Earlier this month, CNNMoney examined how Apple’s approach to security needs improvement.
Wang said this could have been avoided if Apple communicated more with the outside computer engineers who independently create popular software programs for Macs.
“Apple needs to inform the app developers what they need to do,” he said. “In some cases, Apple provides nothing for app developers to do a security check.”
Leading Indiana University student researcher, Luyi Xing, complained that, while Apple did respond to them at first, the company didn’t actively work with security researchers — and share progress — until after they made their report public.
“Now it’s a couple of emails a day,” Xing said.
A person with knowledge of Apple’s security policies said the company was partly caught by surprise with the sudden publication of this report, since Apple had been communicating with the researchers.
“The problem may have already been fixed if they would have taken it more seriously,” Professor Wang said. “Now they’re actively talking to us. This is more evidence we should go public in some cases.”
The researchers might pay for their adventure. Apple typically revokes developer credentials for anyone who slips malware into the App Store — even for security research. Renowned security researcher Charlie Miller got a one-year suspension from the App Store in 2011 for that very reason.
Wang hopes Apple will spare his six-person team.
“I don’t think it would be fair. Our intention is to help Apple,” he said, adding this foreboding note: “We found more than we disclosed. There’s another new attack that’s pretty serious, and we didn’t make it public.”