Risk
10/21/2010
10:58 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Apple FaceTime Mac Beta Ships With Pedestrian Security Flaw

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.The security issue was first reported, to the best of my knowledge, by German site MacNotes. And in their post they highlight how an attacker could access a user's Apple ID and even reset their password:

Once you've logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it - in plain text, without another password request. To reset the password to an Apple ID, all you need it the exact birth date and the answer to the security question - we tried that out for you, and it worked fine.

The blog post walks through, step by step, how someone without knowing a user's FaceTime password, can change that password. And, according to the report, even logging out of FaceTime doesn't fix the issue as the app keeps the password stored and active, so that it's a snap for anyone to log in to an unattended system.

The upshot in this flaw is that an attacker would need to have physical access to a system pull off these shenanigans. But with more of us computing on mobile devices - notebooks, smart phones, and tablets - flaws that require physical access to a system provide increasingly less risk mitigation.

What troubles me is that Apple doesn't seem to have conducted any kind of threat modeling on this FaceTime beta software. I mean, really, username, Apple ID, and security questions shouldn't be stored in plain text for the world to see. This is especially true when the software doesn't clear the password when one logs out. And it should go without saying that providing the existing password should be a requirement to conducting a password change. With such carelessness, it makes one wonder what other areas where Apple has so blatantly skimped on security. Are they developing so fast now that security is being pushed aside?

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5312
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVE-2012-6662
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

CVE-2014-1424
Published: 2014-11-24
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

CVE-2014-7817
Published: 2014-11-24
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

CVE-2014-7821
Published: 2014-11-24
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?