Risk
10/21/2010
10:58 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Apple FaceTime Mac Beta Ships With Pedestrian Security Flaw

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.

On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.The security issue was first reported, to the best of my knowledge, by German site MacNotes. And in their post they highlight how an attacker could access a user's Apple ID and even reset their password:

Once you've logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it - in plain text, without another password request. To reset the password to an Apple ID, all you need it the exact birth date and the answer to the security question - we tried that out for you, and it worked fine.

The blog post walks through, step by step, how someone without knowing a user's FaceTime password, can change that password. And, according to the report, even logging out of FaceTime doesn't fix the issue as the app keeps the password stored and active, so that it's a snap for anyone to log in to an unattended system.

The upshot in this flaw is that an attacker would need to have physical access to a system pull off these shenanigans. But with more of us computing on mobile devices - notebooks, smart phones, and tablets - flaws that require physical access to a system provide increasingly less risk mitigation.

What troubles me is that Apple doesn't seem to have conducted any kind of threat modeling on this FaceTime beta software. I mean, really, username, Apple ID, and security questions shouldn't be stored in plain text for the world to see. This is especially true when the software doesn't clear the password when one logs out. And it should go without saying that providing the existing password should be a requirement to conducting a password change. With such carelessness, it makes one wonder what other areas where Apple has so blatantly skimped on security. Are they developing so fast now that security is being pushed aside?

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.