Is the title bit scary? Of course it is, according to the reports from Security firm Skycure. The company says, bad guys out there can make use of Configuration profiles to pull out passwords and other data without the user’s knowledge. Ok! What’s that configuration profiles? Configuration profiles are used by trusted parties like Apple and mobile carriers. These parties use configuration profiles to alter settings in iOS; sometimes to deliver patches and to distribute other updates. So configuration profiles are harmless, if they were used by trusted parties. But if you install those from untrusted sources, then your device might be under malware threat.
According to the reports from Skycure, the company had tested out a scenario by installing a configuration profile from a fake website (by a prompting to install) and sent the link out to Panzarino. Once it was installed, the company found they were able to pull out passwords and other critical data from the device.
“After the profile was installed, Sharabani demonstrated to me that he could not only read exactly which websites I was visiting, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.”
Courtesy: iDB
So how to make sure, you don’t install malicious Configuration Profiles? That’s simple! Don’t install configuration profiles from unknown source/party. We know Apple uses Configuration profiles, but may not be in long run, because the method seems to be vulnerable.
