A group of researchers uncovered potentially deadly zero-day vulnerabilities in both iOS and Mac OS X operating systems, that could allow attackers get access to the passwords in Keychain and even bypass the App Store's security checks – including stealing passwords from installed apps.
The researchers as a proof-of-concept created and published a malicious app (dubbed XARA) on the App Store that was able to siphon users’ personal data. It allows anyone bypass the OS X sandboxing mechanisms that are supposedly designed to prevent an app from accessing the credentials, contacts, and other important data related to other apps.
The Keychain flaw hinges on its inability to verify which app owns a credential, and even the OSes (both OS X and iOS) failed to check for any suspicious activity.
It is recommended that users "be alert to any occasion where they're asked to login manually when that login is usually done automatically by Keychain" and never to allow either their browser or a password manager to store their sensitive logins, such as online banking details.
