Yesterday we published in Actualidad iPhone that a serious security problem had been detected that affects devices that use the iOS and OS X operating systems. The problem has been christened XARA, Unauthorized Cross-app Resource Access (the X I assume is for "cross") and aims at the iCloud keychain, being of particular concern in the case of OS X. Apple needs to fix this bug, but you don't need to panic either.
In this article we will try to explain everything about XARA, what it does, what it affects and what we can do to prevent a malicious user from accessing our iCloud keychains.
[UPDATE 20/6/2015] Apple talks about XARA:
"Earlier this week we added a security update in the form of an application on the server that secures application data and blocks applications with sandbox configuration problems from the Mac App Store." They also responded to a query saying that "We have more patches in progress and we are working with researchers to address the problem in situ."
What is XARA?
XARA is the name used to unite in the same term to a group of exploits that use a malicious application to gain access to secure information through a legitimate application. They do this by using the "man-in-the-middle" method, which means that they are between us and a legitimate server using phishing in order to trick us into giving them our credentials.
What is the goal of XARA?
On OS X, XARA aims to the iCloud keychain database (iCloud Keychain), where we store our users and passwords; WebSockets, a communication channel between applications and associated with services; and package identifiers, which only identify sandbox applications and can be used as target data containers.
On iOS, XARA targets URL schemes. URL theft is not an operating system vulnerability. It can be used if an official security mechanism is not in place to achieve the desired functionality. It seems that in iOS the failure is not so serious since its exposure is much more limited.
How are exploits distributed?
Security researchers created applications and uploaded them to the Mac App Store and the App Store. In the case of OS X they can also be distributed by another website and we can install them if we configure it from the system preferences.
App stores try to identify if there is malicious behavior. If they detect such behavior in the App Store, as is the case with XARA, the information is used for future reviews to prevent the same exploits from accessing the App Store in the future. So the App Store was not compromised.
How do these applications work?
Put simply, they act as intermediaries between the exchange of information or in sandbox applications. What they do is wait and "cross their fingers" waiting to be used. If this is not the case, they cannot do anything.
In the case of the OS X iCloud Keychain, you can pre-register or delete and re-register credentials. With WebSockets, you can pre-emptively occupy a port. With package identifiers, you can add malicious subtargets to legitimate applications' access control lists.
On iOS, you can only hijack legitimate URLs and do phishing.
What kind of data is at risk?
ICloud keychain data, Websockets, and URLs.
What could be done to prevent XARA?
The best would be a system in which applications will be securely authenticated in all possible communications. That's Apple's job.
If we see that something has been deleted on our keychain, we can think that it is a failure, but if we see a record that we have not made, it is a symptom that someone has had access to it.
Apple has to update the system, that's the most important thing. And you have to do it as soon as possible.
Is it possible to know if my data has been intercepted?
On iOS, we must see the fake app for at least an instant before moving on to the legitimate app. If we are looking for a failure, we would notice, but if not, it would be difficult.
Why was XARA published?
Investigators discovered the flaw last year. They reported it to Apple and the Cupertino people asked them for at least 6 months to address the problem. After 6 months, the researchers have made it public.
Worst of all, it is an irresponsibility that only serves to make themselves important as security researchers. What I would do when discovering such a bug is work with the company until it is fixed. Then, and only then, would he publish the information.
In addition, researchers have recognized that Apple has been working on it since they were told about the problem, so publishing the existence of this security flaw is not going to help Apple rush. It will only serve to promote itself and to put user data at risk, since now any malicious user can use the published information.
On the other hand, Apple has fixed many more important bugs during this time. And it is not that XARA is not dangerous, if not that it is not so much as to prioritize it or to alarm us as we are doing it. A call to calm.
So what should we do?
XARA is a group of exploits that must be fixed, but must be fixed by Apple. As they say in iMore, which is the source of this article, you don't have to panic, but any user of a Mac, iPhone or iPad should be informed. Until Apple fixes the problem, the best is business as usual: do not download applications of dubious origin. And I put two examples: if we download a new game from an unknown developer from the App Store and they ask us to put our password to access our keychain, we do not do it. And the same with users who have the jailbreak on your device, but in these cases also it is important to use the tweaks from the official repositories.
As always, your articles are very objective and interesting, greetings from Mexico!