A
team of security researchers has released information detailing a
combination of exploits that would allow anyone to steal passwords that a
user has stored in his or her iCloud Keychain and intercept data being
shared between apps. The flaws relate to unauthorised cross-app resource
access (XARA) as a result of using inadequately secure coding
techniques, and affect both iOS and OS X.
The six researchers say
they informed Apple of the problem six months ago and are releasing the
information now because no fix has been forthcoming despite promises
from the company and at least some contact during that time. It is
extremely likely that attackers will jump at the opportunity to use this
information to craft deadly and undetectable new ways of stealing
passwords and other sensitive data.
As reported by The Register,
the team was able to demonstrate working attacks that involved
submitting apps to the Apple App Store, in which code designed to
exploit the weakness was not detected. They were then able to steal
passwords including those to email accounts.
According to the team, 1,612 popular apps were tested and 88.6 percent of them
were found to be vulnerable to XARA attacks. Google Chrome, Facebook,
WeChat and Evernote were amongst the popular apps specifically named by
the team, to which they were able to gain access because of insecure
cross-app sharing mechanisms. Even banking sites visited from within
Chrome could be broken into once credentials were stolen.
Details
are available in the paper titled Unauthorized Cross-App Resource Access
on Mac OS X and iOS, which has been published online for anyone to see.
Videos demonstrating potential attacks have also been uploaded to YouTube. According to the team, Apple had asked for six months' time to issue a
fix, but despite there being some evidence that the company has been
tweaking its security mechanisms, there has been no concrete solution.
App developers will also have to make sure they are using best practices
in order to keep users safe.
Apple is widely known for
restricting apps on its platforms, especially the way they communicate
with each other, in order to make sure there are secure barriers between
them. Some of the flaws collectively being referred to as XARA also
affect other platforms, particularly those on which URL schemes and
HTML5 WebSockets are used to pass information between apps.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.
Further reading:
Apple,
OS X,
XARA,
hack,
iCloud,
iCloud Keychain,
iOS,
passwords,
security,
security flaw,
security vulnerability,
sensitive information
Apple Tipped to Turn to Intel to Build Its Entry-Level M-Series Chipsets29 November 2025
Search
![[Partner Content] OPPO F31 Series: The Durable Champion That Stays Smooth & Powerful](https://c.ndtvimg.com/2025-11/5gnig168_image_160x120_04_November_25.jpg?downsize=180:*)
![[Sponsored] Galaxy Tab S10 Lite: Built for Learning and Work](https://c.ndtvimg.com/2025-10/r1vp89to_image_160x120_24_October_25.png?downsize=180:*)
![[Sponsored] Samsung Galaxy Tab S11 Series: Creativity Meets AI](https://c.ndtvimg.com/2025-10/nulv3ca4_image_160x120_23_October_25.png?downsize=180:*)
