On Friday, Apple quietly issued an update for iPhones and iPads that fixed a big problem: encryption wouldn’t stop an attacker on the same network from intercepting sensitive information sent during banking sessions, email sessions or Facebook chats. Then the news got worse. Researchers realized the same problem applied to other iProducts, such as desktops and laptops. Beyond telling Reuters reporter Joseph Menn on Saturday that a fix is coming “very soon,” Apple has been silent on the issue, not even sending out a warning to its users about what they should and shouldn’t do while the vulnerability remains unfixed. Instead, it’s been left to journalists (such as my colleague Andy Greenberg) and outside security researchers (such as Ashkan Soltani and Adam Langley of Google) to explain what’s happening in blog posts as well as tweet advice out to alarmed Macheads lucky enough to be on Twitter to see it.
Runa Sandvik, a security technologist (and Forbes contributor) who is among those tweeting about Apple’s security problem, created a website “Has GoTo Fail Been Fixed Yet?” that pops up a simple “ No” with links to coverage users might want to read.
“I created the site to highlight the biggest issue here: that Apple dropped a [zero-day exploit] on users at 4pm on a Friday and has not yet made any statements about when OS X users can expect a patch,” says Sandvik. “When Apple disclosed the iOS bug, they did not mention how long the bug has been around for, how/when it was discovered or affected iOS versions. It was then independent security researchers who discovered that the same issue also affects OS X users.”
Security researchers are offering the practical advice to users that’s not coming from Apple itself.
“Stay away from unencrypted Wifi. Don’t use your own Wifi if you live in a crowded neighborhood and have a weak WPA password,” said cryptography expert Matthew Green, of Johns Hopkins, in an email. “Apple’s whole security posture is insane. They’ve been lucky so far, but if they keep it up with the secrecy they won’t stay lucky.”
“Concerned Mac OSX users should use Chrome or Firefox browser for their online activities and disable background services (like Mail.app or iCloud), especially when they’re using a network they don’t trust (e.g. at an Internet cafe),” writes Soltani. “And iPhone users should be sure to update their systems as soon as updates are available if you haven’t already.”
It’s extremely trouble that Apple is neither alerting users directly about the problem nor offering advice, either by email, on its website, or through social media channels. Apple doesn’t have an official Facebook or Twitter page to disseminate news or warnings via social channels. Its famously-closed culture is not well-suited to a security crisis, when users need to have information about how to protect themselves. Rather than employing its Rolodex of users’ contact information to alert users to help them avoid getting hacked or technically exploited, Apple is leaving users to seek out information on their own from outside experts, assuming users are even aware of the security flaw.
“I can’t blame Apple for the SSL bug, but their response has been pretty awful,” tweeted ACLU security technologist Chris Soghoian, who advised the lawmakers or federal agency types who inevitably look into this security mess to “focus on the lack of timely warning to impacted users, not the source of the flaw itself.”
Apple did not respond to requests for comment about the security flaw, or its lack of warning about the flaw to users.