Discovered by a team of six researchers at Indiana University, Georgia Tech, and China’s Peking University, the exploits rely on fundamental flaws in the implementation of Keychain’s access control lists, OS X’s app containers, and URL schemes that allow apps to call out to each other. Apple was notified of these vulnerabilities last October, the researchers told The Register, and then requested a six-month extension before the paper was made public, which was granted.
The vulnerability in Keychain stems from its inability to verify whether apps should be entitled to modify entries. Using the newly-discovered exploit, a malicious app can delete existing entries — or create them before the legitimate app has a chance to — and give both itself and the legitimate app access, reading the contents of the entry after the legitimate app has written to it.
A proof-of-concept video shows the team removing the Keychain entry for a local user’s iCloud account, then creating a new one using a malicious app. After signing in to iCloud through System Preferences, the malicious app successfully retrieves the secret iCloud token stored in that entry. The same attack was used to retrieve passwords stored in Keychain by Google’s Chrome browser, which will reportedly remove Keychain access until a fix is issued.
So long as your iPhone or iPad aren’t jailbroken, they aren’t at risk of an attack like this — and which for now remains proof-of-concept and not anything which exists in the real world.
Your desktop and laptop are bigger concerns — and since Keychain crosses from OS X to iOS, an infected MacBook could grab passwords off your iPhone. As always the best thing you can do to maintain security is to maintain physical possession of your computers, and use caution when installing unsigned software.