Erik van Straten<p>Passkey/password bug: iOS 18.3.1</p><p>Ook in iOS versie 18.3.1 is de eerder door mij gemelde iCloud KeyChain (*) kwetsbaarheid nog niet gerepareerd (eerder schreef ik hierover, Engelstalig: <a href="https://infosec.exchange/@ErikvanStraten/113821443334366419" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113821443334366419</span></a>).</p><p>(*) Tegenwoordig is dat de app genaamd "Wachtwoorden" (of "Passwords").</p><p>De kwetsbaarheid bestaat indien:</p><p>• De eigenaar een "passcode" (pincode of wachtwoord) gebruikt om de iPhone of iPad te ontgrendelen - en er GÉÉN biometrie is geconfigureerd;</p><p>ofwel:</p><p>• De gebruiker wel biometrie kan gebruiken om het scherm te ontgrendelen, doch in 'Instellingen' > 'Touch ID en toegangscode' de instelling "Autom. invullen wachtw." is UITgezet.</p><p>Zie onderstaande screenshots (Engelstalig in <a href="https://infosec.exchange/@ErikvanStraten/113821443334366419" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113821443334366419</span></a>). Meer info ziet u door op "Alt" in de plaatjes te drukken.</p><p>Probleem: iedereen met toegang tot de ontgrendelde iPhone of iPad kan dan, *zonder* opnieuw lokaal te hoeven authenticeren:</p><p>1) Op elke website inloggen waarvan het user-ID en wachtwoord in iCloud Keychain zijn opgeslagen;</p><p>2) Met passkeys op enkele specifieke websites inloggen (waaronder <a href="https://account.apple.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">account.apple.com</span><span class="invisible"></span></a> en <a href="https://icloud.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">icloud.com</span><span class="invisible"></span></a>), namelijk als volgt:</p><p>a) Open de website;<br>b) Druk op "Inloggen";<br>c) Druk op de "x" rechts bovenaan de pop-up die verschijnt (in de onderste schermhelft);<br>d) Druk kort in het veld waar om het e-mailadres gevraagd wordt;<br>e) Druk op de knop "gebruik passkey".</p><p>Risico: uitlenen van een unlocked iDevice (o.a. aan kinderen) maar ook diefstal nadat de passcode is afgekeken. Of als de dief geen passcode heeft, als deze wacht tot de eerstvolgende iOS/iPadOS kwetsbaarheid bekend wordt waarbij de schermontgrendeling omzeild kan worden.</p><p>Als u ze nog niet gezien heeft, bekijk in elk geval de eerste van de volgende twee video's van Joanna Stern (van de Wall Street Journal):<br><a href="https://youtube.com/watch?v=QUYODQB_2wQ" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtube.com/watch?v=QUYODQB_2wQ</span><span class="invisible"></span></a><br><a href="https://youtube.com/watch?v=tCfb9Wizq9Q" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtube.com/watch?v=tCfb9Wizq9Q</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/TouchID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TouchID</span></a> <a href="https://infosec.exchange/tags/FaceID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FaceID</span></a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/iCloudKeychain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iCloudKeychain</span></a> <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passwords</span></a> <a href="https://infosec.exchange/tags/PadswordsApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PadswordsApp</span></a> <a href="https://infosec.exchange/tags/Wachtwoorden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Wachtwoorden</span></a> <a href="https://infosec.exchange/tags/WachtwoordenApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WachtwoordenApp</span></a> <a href="https://infosec.exchange/tags/Biometrie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Biometrie</span></a> <a href="https://infosec.exchange/tags/Passcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passcode</span></a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOS</span></a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPadOS</span></a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPhone</span></a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPad</span></a> <a href="https://infosec.exchange/tags/iDevice" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iDevice</span></a> <a href="https://infosec.exchange/tags/ScreenLock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ScreenLock</span></a> <a href="https://infosec.exchange/tags/ScreenUnlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ScreenUnlock</span></a> <a href="https://infosec.exchange/tags/SchermVergrendeling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SchermVergrendeling</span></a> <a href="https://infosec.exchange/tags/SchermOntgrendeling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SchermOntgrendeling</span></a> <a href="https://infosec.exchange/tags/SchermOntgrendelCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SchermOntgrendelCode</span></a> <a href="https://infosec.exchange/tags/PINcode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PINcode</span></a> <a href="https://infosec.exchange/tags/Kwetsbaarheid" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kwetsbaarheid</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/OngeautoriseerdeToegang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OngeautoriseerdeToegang</span></a> <a href="https://infosec.exchange/tags/IdentiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentiteitsFraude</span></a> <a href="https://infosec.exchange/tags/Inloggen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Inloggen</span></a> <a href="https://infosec.exchange/tags/Stern" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Stern</span></a> <a href="https://infosec.exchange/tags/JoannaStern" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>JoannaStern</span></a> <a href="https://infosec.exchange/tags/WSJ" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WSJ</span></a></p>