As stated by Luyi Xing, security researcher and team leader of seven researchers with the Indiana University, Georgia Institute of Technology, and Peking University, a set of vulnerabilities that allow a malicious application to gain unauthorized access to additional applications has been identified.
This application has the ability to steal extremely sensitive data to include passwords but also tokens for iCloud Mail application along with web passwords currently stored on Chrome. Xing further explained that these malicious applications had no trouble in going through the vetting process established by Apple and were even published on the Mac and iOS application store.
He added that the Keychain service was completely cracked, which is used for storing passwords along with other Apple application credentials and sandbox containers on OS X. This new weakness was found within communication mechanisms on OS X and iOS of the inter-app communication that can be used for stealing proprietary information from Facebook, Evernote, and several other popular applications.
Xing and his team notified Apple back on October of last year about the flaw, providing ample time for the company to address before it becoming public knowledge. However, Apple did not tell the public so Xing felt that people had the right to know.
After contacting Apple, the company confirmed that the flaw is significant but nothing has been done to remove it from current OS X and iOS versions. As to when the flaw will be corrected, no information has been provided by Apple.