If you downloaded Chinese iOS apps, be alert, there is a nasty iOS malware spreading [XCodeGhost]
It's reported that malware called XCodeGhost has infected many apps on the official Apple iOS App Store. iPhones and iPads using one of these apps can be used as part of a botnet, but even more seriously the vulnerability exposes a risk to passwords stored in apps similar to 1password as it allows passwords copied from password management apps to be sent to the 3rd party controlling the malware.
Read the full article on Macrumors which is one of the news outlets reporting this. http://forums.macrumors.com/threads/what-you-need-to-know-about-ios-malware-xcodeghost.1918784/
Apparently it affects unjailbroken phones as well as jailbroken phones.
I have just visited the 1Password blog but there is no mention of this. I must admit I'm a bit disappointed, I'd like to think that an advisory bulletin would have appeared in the app and blog advising us of a potential problem, while they worked to mitigate the risk.
As you can see from this list, some of the apps affected are quite popular.
Macrumors is advising that anyone using one of the more than 50 apps believed to be affected, should uninstall and then change passwords. List from Macrumors (might not be complete) is as follows :
Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
同花顺
ting
installer
下厨房
golfsensehd
Wallpapers10000
CSMBP-AppStore
礼包助手
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
爱推
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
高德地图
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save
CamCard
Comments
-
Hi @lammypie,
Thanks for letting us know about this, we're keeping an eye on this and I believe Jeff might write a blog post about this soon. We'll see what we can do here.
As for the malware, this is because instead of downloading the only authorized copy of Xcode from Apple's servers, the Chinese developers got it from illegal sources and that infected every single app they build. This could've been avoided easily if Apple addressed their needs for a fast download server in China and these developers don't get it from bad sources.
I suspect Apple will add additional protections to block submissions made with non-authorized copies of Xcode soon.
0 -
Thanks @MikeT
1Password got a favourable mention in one of the comments on the Macrumors site. That apple sandboxing forces password management apps to use the clipboard. I don't understand the behind the scenes stuff but hopefully apple can (after they've cleaned this up) make some changes to make it easier for you guys.
I hope it's not as serious as it sounds, and that you guys can do something to help mitigate the risk.
0 -
Apparently infected apps have the ability to access the clipboard and can take passwords this way if they are copied and pasted. Can 1Password give us some more details on this. Is this a vulnerability in 1Password?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
macrumors says they can read out the clipboard.
Has 1Password any chances to identify if they read out the passwords when copied in clipboard??
But they do not have any chance to find out on with URL the password was used or am I wrong?
0 -
Can apps infected by Malware get access to passwords stored in 1Password?
Are passwords copied to clipboard from within 1Password vulnerable to the malware infection?1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:xcodeghost0 -
Hi folks,
I've merged a few of the threads from the front page that were all on this topic. Please keep all discussion related to XcodeGhost here.
We are working on a more detailed response to this, but what I can tell you is:
We use legitimate copies of Xcode obtained directly from Apple for our iOS and Mac development work, so 1Password does not have this malware within it.
It does appear apps affected by this malware have access to the iOS clipboard, which could expose any data you've copied to the clipboard from 1Password.
When filling items into web pages using 1Browser or the Safari extension we do not use the iOS clipboard.The recommendation from MacRumors regarding this vulnerability is to uninstall the apps that have the malware in them (again, 1Password is not one of them), and change any affected passwords. That is the course of action I personally will be following.
Ben
0 -
Thanks for the response. Are there different types for clipboards in iOS or one global across the OS and apps. Do you post the URL with the credentials in the clipboard or just credentials? Also, are the credentials encrypted while in the clipboard?
0 -
Commenting to to keep an eye on this thread. Chinese language student, installed at least one of the affected apps. yay.
0 -
Are there different types for clipboards in iOS or one global across the OS and apps.
I'm only aware of one clipboard.
Do you post the URL with the credentials in the clipboard or just credentials?
To reiterate: when 1Password does a fill action that does not use the clipboard at all. It is only if you copy something to the clipboard. Whatever you copy is what will be there.
Also, are the credentials encrypted while in the clipboard?
No. They couldn't be. Well, they could be, but then when you pasted them you'd just get garbage (instead of your password).
Ben
0
