iCloud Keychain Sync Security Flaw

[JohnnyCorporalTech]

Apple's Keychain access has for a while now utilized End-to-end data encryption to protect their users sensitive data. But now, a previously thought patched, security exploit within iClouds verification of device keys, which can allow attackers to bypass the end-to-end encryption and steal users Passwords and other sensitive information. 

Quote

The bug exploited a flaw in how Apple's iCloud Keychain synchronizes sensitive data across devices, like passwords and credit cards on file, which -- if exploited -- could've let a sophisticated attacker steal every secret stored on an iPhone, iPad, or Mac. 

The worst thing about this is that it was thought to have been patched a while ago, and that this flaw is completely silent to users. 

Quote

the flaw could have let an attacker punch a hole in the end-to-end encryption that Apple uses to ensure nobody can read data as it is sent across the internet.

That data can be intercepted by an attacker to steal passwords and other secret data, like the websites you visit and their passwords, as well as Wi-Fi network names and their passwords.

It has been noted though, that accounts that use two factor authentication are much better protected from this type of attack. 

Alex Radocea, founder of Longterm Security,  stated that:

Quote

We could see everything in the Keychain in plain-text, it's completely silent to users, they wouldn't have seen a device being added.

 

Source:

http://www.zdnet.com/article/icloud-security-flaw-icloud-keychain-iphone-mac-passwords-vulnerable/

http://www.techrepublic.com/article/icloud-keychain-encryption-bug-exposes-ios-passwords-credit-card-numbers/

[captain_to_fire]

I wonder if other password managers have a similar exploit. 

[Bensemus]

It seems like this was already fixed.

Quote

Apple released a fix in March, with iOS 10.3 and macOS Sierra 10.12.4.

Or was that the fix that didn't end up working?

 

Also it seems they still need to get access via a compromised iCloud account.

Quote

"With the bug I couldn't go ahead and steal whoever's iCloud Keychain just by knowing their account name. I would also need access to their iCloud account somehow,"

 

That seems like kinda a big hurdle and once you get access to their account you basicly have access anyways. The user would just be able to see the new device accessing the keychain vs the bug which accesses it invisibly.

 

Another question I have is what about when you use two different passwords for your iCloud acc and keychain?

[AnonymousGuy]

18 hours ago, JohnnyCorporalTech said:

It has been noted though, that accounts that use two factor authentication are much better protected from this type of attack. 

I'm good then.  Two factor on iOS is so seamless that everyone should use it.  You don't even have to go into an app to use it.