Risk
10/21/2010
10:58 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Apple FaceTime Mac Beta Ships With Pedestrian Security Flaw

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.The security issue was first reported, to the best of my knowledge, by German site MacNotes. And in their post they highlight how an attacker could access a user's Apple ID and even reset their password:

Once you've logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it - in plain text, without another password request. To reset the password to an Apple ID, all you need it the exact birth date and the answer to the security question - we tried that out for you, and it worked fine.

The blog post walks through, step by step, how someone without knowing a user's FaceTime password, can change that password. And, according to the report, even logging out of FaceTime doesn't fix the issue as the app keeps the password stored and active, so that it's a snap for anyone to log in to an unattended system.

The upshot in this flaw is that an attacker would need to have physical access to a system pull off these shenanigans. But with more of us computing on mobile devices - notebooks, smart phones, and tablets - flaws that require physical access to a system provide increasingly less risk mitigation.

What troubles me is that Apple doesn't seem to have conducted any kind of threat modeling on this FaceTime beta software. I mean, really, username, Apple ID, and security questions shouldn't be stored in plain text for the world to see. This is especially true when the software doesn't clear the password when one logs out. And it should go without saying that providing the existing password should be a requirement to conducting a password change. With such carelessness, it makes one wonder what other areas where Apple has so blatantly skimped on security. Are they developing so fast now that security is being pushed aside?

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.