CPR-Zero: CVE-2015-5832

Information

AppleID credentials may persist in the keychain after sign out

Crash Dump

None

PoC

On a jailbroken device, by using a tool that has been signed with a self-signed certificate with a wildcard entitlement that should grant the tool access to all keychain items that would have been granted had the tool been signed with each individual entitlement.

An example of such information pulled out from the keychain:

<keychain-item>
<service>com.apple.account.iTunesStore.password</service>
<account>account</account>
<data>password</data>
</keychain-item>

A common possible way which exposes the user’s private data is when the device owner sells his device (iPhone/iPad/iPod), without being aware of the proper way to clean the application keychain data.
If the user logout from the application and perform a partial device reset (e.g: ‘Reset All Settings’) the information will still be stored in the keychain.
The proper way to avoid this kind of sensitive data exposure for none iOS 9 users is to select ‘Erase All Content and Settings’.

References:
https://support.apple.com/en-il/HT205212

Share this: