Good thing you are here then else Swordmaker would surely cover this one up.
I do what I can, in my quiet, modest way.
Sorry I took so long getting back to comment on these claims. While there are some vulnerabilities here, the biggie is the claim that they were able to get iCloud tokens. . . implying that gets them into a user account on iCloud. That is not true.
An iCloud "token" is the handshake ID that is used when Apple's App Store connects to the computer to download software from the App store to assure that the user is legitimate and the iCloud connection are both legitimate.
The iCloud token DOES NOT allow a hacker access to a user's iCloud account data, which the article implies. To access the data in an iCloud account requires the user's iCloud user name and iCloud password which are NOT stored in the Keychain as the iCloud Token is stored. The user's password, which is entangled with the UUID of the device is used to encrypt the data on iCloud and cannot be decrypted by any external computer and must be decrypted on the user's computer.
All these researchers demonstrated was the ability to steal the handshake token that would allow them to download software from Apple or create a Man-in-the-middle server to allow downloading of malicious software onto this single Mac.
However, to accomplish that the Mac had to have malicious software ALREADY downloaded on it to steal the token in the first place.
They were able to poison THEIR Mac's keychain because they already had access to that Mac. However, getting access to poison someone else's Mac's keychain is problematic.
There is the failure point of these vulnerabilities. How do they initiate the exploits? They need to get their poison program onto the Mac to poison the keychain.
The researchers postulate that it would be easy to get malicious software onto Apple's App store. They give no examples of such software ever being posted by Apple. . . and blithely claim that they were able to "post" such malicious apps on Apple's Mac App store. That WILL get each and everyone of them blacklisted for life by Apple now that they have publicly admitted hiding deliberately malicious code in an App. They have actually admitted to a criminal felony by doing such a thing. Frankly, I find that hard to believe because of the difficulty in getting certification for posting Apps on the Mac store. Perhaps it is true, but it would NOT remain there long, once even a few instances of exploits in the wild were reported.
Again, this gets back to letting a TROJAN onto your system to start the daisy chain of exploits. Apple does have to do more in checking the Apps' sub-programs allowed on the App Stores, but I think they are doing a pretty good job now. Finally, don't download Apps from untrusted sources and you will probably be OK.