Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, IMessage, Facetime And More

Posted: Feb 23 2014, 4:51pm CST | by , Updated: Feb 24 2014, 4:03am CST, in Apple


This story may contain affiliate links.

Apple's 'Gotofail' Security Mess Mail, Twitter, iMessage, Facetime And More

First, Apple revealed a critical bug in its implementation of encryption in iOS, requiring an emergency patch. Then researchers found the same bug is also included in Apple’s desktop OSX operating system, a gaping Web security hole that leaves users of Safari at risk of having their traffic hijacked. Now one researcher has found evidence that the bug extends beyond Apple’s browser to other applications including Mail, Twitter, Facetime, iMessage and even Apple’s software update mechanism.

On Sunday, privacy researcher Ashkan Soltani posted a list of OSX applications on Twitter that he says he’s determined use Apple’s “secure transport” framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL. The full list, which isn’t comprehensive given that Soltani only analyzed the programs on his own PC, is shown below. (Soltani has underlined the vulnerable application names in red.)

Soltani, an independent researcher whose recent work has included analyzing the surveillance documents leaked by NSA contractor Edward Snowden on behalf of the Washington Post, warns that the security of several applications on that list are severely compromised, including Apple’s email program Mail, scheduling app Calendar and the its official Twitter desktop client. The bug affects how Apple devices authenticate their secure connection with servers, allowing an eavedropper to fake that verification and hijack or corrupt traffic using what’s known as a “man-in-the-middle” attack. ”All these apps would be vulnerable to the same man-in-the-middle vulnerability outlined on Friday,” Soltani says.

Some of the affected apps such as iMessage and Facetime have added security that could reduce the effects of the security vulnerability, though Soltani warns that for the iMessage instant messaging application the initial login at Apple’s website may be compromised, even if the messages themselves remain encrypted, and that similar problems may exist for Facetime. “There are going to be parts of the protocol like the initial ‘handshake’ that rely on TLS, and those will be vulnerable to man-in-the-middle attacks,” Soltani says.

Equally troubling is the notion that Apple’s Software Update application is affected, which means that Apple’s mechanism for pushing new code to OSX machines, including security updates, could be compromised. Soltani notes that in addition to SSL and TLS, Software Update also checks for Apple’s signature on any code that it asks users to install. But he adds that the code-signing protection hasn’t stopped malware from spoofing those updates in the past to install spying tools on victims’ machines.

I’ve reached out to Apple for comment on Soltani’s findings, and I’ll update this post if I hear from the company.

Apple’s newly discovered security flaw, dubbed “gotofail” by the security community due to a single improperly used “goto” command in Apple’s code that triggered it, initially came to light Friday when Apple issued a security update for iOS. Researchers at the security firm Crowdstrike and Google quickly reverse engineered that patch to show how it affected OSX as well, and initially recommended that users stay away from untrusted networks and avoid Safari, which is more dependent on Apple’s implementation of SSL and TLS than other browsers such as Chrome or Firefox.

Soltani’s work, however, shows that the problem extends further, leaving many users with few options for secure communications until Apple issues a fix for its desktop software. The company promised in a statement to Reuters Saturday to make that fix available “very soon.” Given the widening gaps in Apple’s security the flaw exposes, it can’t come soon enough.

Follow me on Twitter , email me, anonymously send me sensitive documents or tips , and check out the new paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers.

Source: Forbes

This story may contain affiliate links.


Find rare products online! Get the free Tracker App now.

Download the free Tracker app now to get in-stock alerts on Pomsies, Oculus Go, SNES Classic and more.

Latest News


The Author

Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.




comments powered by Disqus