Proof-of-concept app in Apple's App Store sent keystrokes to remote server.
Researchers said they have identified a flaw in Apple's iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control.
The vulnerability affects even non-jailbroken iPhones and iPads running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those running on 6.1.x, researchers from security firm FireEye wrote in a blog post published Monday night. They said attackers could carry out the covert monitoring using an app that bypasses Apple's stringent app review process. The app uses multitasking capabilities built into iOS to capture user inputs.
The disclosure comes three days after Apple patched an extremely critical iOS vulnerability that gave attackers an easy way to bypass encryption many browsers and other types of apps use to prevent eavesdropping of passwords and other sensitive data. Dubbed "goto fail," after one of the lines of code responsible for the bug, the flaw remains unfixed in OS X 10.9.0 and 10.9.1. Apple has yet to say when a patch will be released.