Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.
According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.
They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.
The instructions for reassembly of the app arrive through a phone-home after the app is installed.
The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.
A list of 27 user names and encrypted passwords allegedly for an Apple website was posted to the Internet over this past weekend along with a warning from hacker group Anonymous that the Cupertino-based computer maker could be a target of its attacks.
The list was posted to the Pastebin website, a hosting site for text files, by an unknown user under the title “Not Yet Serious.” It wasn’t immediately clear if the user is a member of the Anonymous hacking group, but the existence of the file became widely known after Anonymous linked to it in a Twitter message.
“Not being so serious, but well,” the message read before linking to the PasteBin page. “Apple could be target, too. But don’t worry, we are busy elsewhere,” the message said.
The data appears to be a set of user names and encrypted passwords from an SQL database for an online survey at the Apple Business Intelligence website. The site is currently offline.
Apple did not immediately respond to a request for comment.
In an apparently unrelated posting, a Lebanese grey-hat hacker called idahc_hacker said he had found vulnerabilities on another Apple website. The SQL injection and iFrame code attacks can be used by hackers to gain unauthorized access to data.
Grey hat hackers do not normally hack for malicious purposes and the Lebanese hacker did not post and data obtained from the site.
In pointing out the hacks, he said he was not part of Anonymous or LulzSec, an allied group that disbanded recently.
Japanese video game maker Sega Corp said on Sunday that information belonging to 1.3 million customers has been stolen from its database, the latest in a string of global cyber attacks against video game corporations.
Names, birth dates, e-mail addresses and encrypted passwords of users of Sega Pass online network members had been hacked into, Sega said in a statement, though payment data such as credit card numbers was safe. Sega Pass had been shut down.
“We are deeply sorry for causing trouble to our customers. We want to work on strengthening security,” said Yoko Nagasawa, a Sega spokeswoman, adding it is unclear when the firm would restart Sega Pass.
The attack against Sega, a division of Sega Sammy Holdings that makes game software such as Sonic the Hedgehog as well as slot machines, follows other recent significant breaches including Citigroup, which said over 360,000 accounts were hit in May, and the International Monetary Fund.
The drama surrounding the recent round of video game breaches paled compared to what PlayStation maker Sony Corp experienced following two high-profile attacks that surfaced in April.
Those breaches led to the theft of account data for more than 100 million customers, making it the largest ever hacking of data outside the financial services industry.
Sega Europe, a division of Sega that runs the Sega Pass network, immediately notified Sega and the network customers after it found out about the breach on Thursday, Nagasawa said.
Lulz Security, a band of hackers that has initiated cyber attacks against other video game firms including Nintendo, has unexpectedly offered to track down and punish the hackers who broke into Sega’s database.