Apple’s key feature “Safety and Security” is constantly being challenged these days. Previously a report showed a 744% increase in Malware attacks in Apple’s Operating System and now, according to the latest reports, another major flaw regarding iCloud’s security has been detected. We came to know about the flaw when Apple released a ‘Keychain Vulnerability Patch,’ this past month of March.
Possible Wrong Goings Of The Flaw
This iCloud Keychain Vulnerability, dubbed as CVE-2017-2448, could have helped the Man-in-the-Middle (MitM) attackers to get access to user information. Alex Radocea of Longterm Security, who is a security researcher found the bug and is the only person to whom this problem is disclosed.
The malware is actually a critical Keychain weakness which is a serious threat to Apple’s security technique, the end-to-end encryption. Once breached, this could have led the attackers to get the user keychain secrets. Talking about the same problem, one of the security researchers said:
While reviewing attack surfaces on iOS for potential sandbox escapes, we uncovered a critical flaw in a custom Off-The-Record implementation relied upon by iCloud Keychain Sync in addition to a memory trespass error. We are currently not aware of any additional uses of the custom OTR implementation.
Why Is iCloud Keychain Such An Important Thing?
iCloud Keychain is one of the most important features of iOS which stores the users’ credentials such as names, passwords, and even credit card details. This feature was introduced for users to provide them a hassle-free solution to the transfer of their data. To put it in simple words, Apple’s iCloud Keychain feature stores every single data of your device and helps you shift to another Apple device and it’s just like opening your email from different devices. Security researcher Rich Mogull expressed his views on the topic like:
The encryption relies on a syncing identity key which is unique to each device, and the plaintext of the secrets and encryption keys are never exposed to iCloud. This makes it exceedingly difficult even for an adversary with unrestricted access to the iCloud backend or iCloud communications to decrypt keychain data when transmitted or ephemerally stored in iCloud.