Apple fixed a Keychain flaw in iCloud that can be exploited by the attackers to steal sensitive data from iCloud users. The vulnerability allowed hackers/attackers to run man-in-the-middle (MITM) attacks to capture sensitive users information.
Keychain is password management system in macOS developed by Apple. It was introduced with Mac OS 8.6 and has been included in all subsequent versions of Mac OS, including macOS. A Keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.
The vulnerability is related to Apple’s open source implementation of the Off-The-Record (OTR) messaging protocol. Devices can only transmit OTR data if they are part of a group of trust called “signed syncing circle,” which is signed with a syncing identity key associated with each device and a key derived from the user’s iCloud password. Joining the circle requires permission from an existing device and user interaction.
The researcher (Alex Radocea) discovered that, due to improper error handling, the signature verification routine for OTR could have been bypassed, enabling the attacker (using MITM) to establish an OTR session without needing the syncing identity key.
Radocea said:
“For an adversary to gain access to user Keychain secrets, an adversary could leverage this flaw with one of the several capabilities to receive keychain secrets. First, assuming that two-factor authentication is not enabled for the user, an attacker with the victim’s iCloud password would be able to directly access and modify entries in the user’s iCloud KVS data.”
The vulnerability has been fixed by Apple by improving the validation for the authenticity of OTR packets.