Apple is in the news thanks to its showdown with the FBI over breaking into user iPhones for law enforcement purposes, but its much-touted encryption has shown a flaw.
A group of Johns Hopkins University researchers said that they have found a bug in the company’s code that would enable a skilled attacker to decrypt photos and videos sent as secure instant messages.
Granted, that’s a limited accessible data set, but still significant. Matthew D. Green, a computer science professor at Johns Hopkins University who led the research team, told the Washington Post that “this specific flaw in Apple’s iMessage platform probably would not have helped the FBI pull data from an iPhone recovered in December’s San Bernardino, Calif., terrorist attack, but it shatters the notion that strong commercial encryption has left no opening for law enforcement and hackers.”
But Apple’s coding issues this week won’t end there. There are desktop/laptop problems for Apple lately too. SentinelOne’s lead OS X security expert, Pedro Vilaça, said that he will soon disclose a “major flaw” which impacts Apple’s permissions protection feature and allows hackers to gain access to sensitive data.
“This zero-day vulnerability is present in all versions of Apple’s operating system and can allow a hacker to exploit a key security protection feature which enables normal privilege escalation to be bypassed,” he explained, noting that more details can be expected later in the week during his talk at SysCan360 2016 in Singapore.
These are but the latest Apple-related issues to be uncovered. Last week, Apple Safari was one of the unlucky ones at this year’s Pwn2Own competition, the annual hacking challenge in Vancouver held in tandem with the CanSecWest security conference.
JungHoon Lee was able to chain together four different bugs, including a use-after-free vulnerability and a heap overflow bug to get into Safari and escalate his privileges. He earned $60,000 for his efforts—but he wasn’t the only one to beat up on the Cupertno giant.
A hacking group dubbed Tencent Security Team Shield again took down Safari later in the day by also leveraging a use after free vulnerability in a privileged process, giving them root-level escalation.
Photo © Zeynep Demir/Shutterstock.com