Indiana University researchers have discovered unforeseen flaws ("zero-day") in Apple’s iOS and OS X, as described in a detailed paper titled “Unauthorized Cross-App Resource Access on Mac OS X and iOS”. Using these bugs, attackers could exploit Apple’s password-storing keychain, app sandboxes, and App Store security checks, among other supposedly secure systems. The researchers were able to upload malware to Apple’s app stores without any security issues or setbacks. The malware, when installed on a user’s Mac, could steal passwords for services including iCloud, the native Mail client, and all passwords stored with Google Chrome.
In another developing cyber breach, the breach of the United States Office of Personnel Management may affect more people than previously thought. In congressional questioning, OPM director Katherine Archuleta noted that there were two types of breaches but she is only willing to attach a number to one of the breaches. According to her, only 4.2 million personnel records were compromised, although Senate meetings with the FBI using OPM’s own internal data reveal that the number is closer to 18 million personnel records. Moreover, based on the nature of the second type of breach, the number affected is virtually uncountable and could be as high as 30 million or more.
In the private sector, Adult Friend Finder, an online adult dating site, confirmed a breach of at least 3.5 million records. In addition to confirming the breach, Adult Friend Finder also announced the hiring of a third-party forensics expert, a FireEye company, a law firm, and a global PR firm that specializes in cyber security.