Risk
10/21/2010
10:58 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Apple FaceTime Mac Beta Ships With Pedestrian Security Flaw

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.The security issue was first reported, to the best of my knowledge, by German site MacNotes. And in their post they highlight how an attacker could access a user's Apple ID and even reset their password:

Once you've logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it - in plain text, without another password request. To reset the password to an Apple ID, all you need it the exact birth date and the answer to the security question - we tried that out for you, and it worked fine.

The blog post walks through, step by step, how someone without knowing a user's FaceTime password, can change that password. And, according to the report, even logging out of FaceTime doesn't fix the issue as the app keeps the password stored and active, so that it's a snap for anyone to log in to an unattended system.

The upshot in this flaw is that an attacker would need to have physical access to a system pull off these shenanigans. But with more of us computing on mobile devices - notebooks, smart phones, and tablets - flaws that require physical access to a system provide increasingly less risk mitigation.

What troubles me is that Apple doesn't seem to have conducted any kind of threat modeling on this FaceTime beta software. I mean, really, username, Apple ID, and security questions shouldn't be stored in plain text for the world to see. This is especially true when the software doesn't clear the password when one logs out. And it should go without saying that providing the existing password should be a requirement to conducting a password change. With such carelessness, it makes one wonder what other areas where Apple has so blatantly skimped on security. Are they developing so fast now that security is being pushed aside?

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web