If it wasn’t yet clear to Apple that its ‘gotofail’ security flaw has the undivided attention of the information security industry, one of its own recently departed star engineers just spelled out the severity of that bug in highly profane terms.
Don't Miss: The Funniest Super Bowl 2017 Commercials
“WHAT THE EVER LOVING F**K, APPLE??!?!!” wrote former Apple security researcher Kristin Paget in a post on her personal blog Sunday. “FIX. YOUR. SH-T. Soon. Please??”
Paget, a well-regarded researcher who left her position on Apple’s security team for a job at Tesla just earlier this month, wrote perhaps the most scathing critique yet of the company’s security response to its “gotofail” bug, which would allow a wide array of Apple programs’ SSL-encrypted communications to be hijacked, eavesdropped or corrupted. The vulnerability, which earned its nickname due to being caused by a single misplaced “goto” command in Apple’s code, was patched Friday for iOS. But researchers quickly found that it affected Apple’s desktop OSX software as well, and the company has yet to fix the desktop version of the bug.
Paget focused on Apple’s questionable decision to publicize the bug in iOS while leaving the same vulnerability unpatched in millions of desktop devices, practically inviting hackers to take advantage of the flaw. “Did you seriously just use one of your platforms to drop an SSL 0day on your other platform?” she writes, using the phrase “zero-day,” an industry term for a previously unknown security flaw. “As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right?”
Paget’s post illustrates the security community’s growing frustration with Apple’s handling of the security flaw, and her relative fame within that community adds to Apple’s embarrassment. Paget gained widespread attention for hacker stunts such as intercepting AT&T cell phone calls with a homemade fake cell tower at one hacker conference and demonstrating that an RFID chip in a credit card can be read and used to make fraudulent transactions on stage at an another. Her former title at Apple was “hacker princess,” and she had also held positions at eBay and Google.
I’ve reached out to Apple for comment multiple times since the “gotofail” bug came to light, without response. The company promised on Saturday to release a fix for the OSX bug “very soon,” according to a statement it sent to Reuters–not soon enough for Paget.
“Come the hell on, Apple,” she writes. “You just dropped an ugly 0day on us and then went home for the weekend – goto fail indeed.”
Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.