Apple hurries to correct gaping Wi-Fi security flaw
The company first announced that security researchers had discovered a flaw in the Secure Socket Layer (SSL), where hackers were able to monitor, steal, or change email and login credentials. Customers who own products with iOS versions 6.1.5, 7.0.4, and 7.0.5 as well as OS X 10.9.0 and 10.9.1 are known to be especially vulnerable, according to Ars Technica.
“Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said in the initial announcement. “Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.”
Matt Green, a Johns Hopkins University professor who specializes in encryption, told Ars that a potential hacker would be able to “basically set up a connection and pretend to be Google.com” and that they “can basically say: ‘Hey, I’m Google, here’s my signature.’ And since nobody is actually going to check the signature, [the attacker] just puts nonsense in there.”
Security experts have suggested that, because of the number of versions and devices affected, millions of people may have had their information exposed over the past few weeks. Any information sent or received via an insecure network may have been intercepted, including credit cards, addresses, and other sensitive details.
The company released iOS 7.0.6 to correct the issue, although many users took to social media and Mac online forums to complain that the patch had caused their iPhones and iPads to freeze. An update has yet to be released for Mac computers and Apple has warned users to avoid connecting to a public internet connection with their laptop or desktop computer.
Ashkan Soltani has said that the verification error goes even further than Apple has admitted, stretching into Safari and Mail, the default internet browser and email applications. Soltani is an independent researcher who has previously examined the authenticity of the classified National Security agency documents leaked by Edward Snowden. He warned Forbes that any number of applications could still be infiltrated – the Calendar app and Twitter desktop client among them.
“All these apps would be vulnerable to the same man-in-the-middle vulnerability outlined on Friday,” he said.
The issue has been dubbed Apple’s “gotofail” by the security community because when Apple updated its code, a single “goto” command caused the entire mess.
“This sort of subtle bug deep in the code is a nightmare,” Google software engineer Adam Langley wrote on his blog, ImperialViolet.org. “I believe that it’s just a mistake and I feel very bad for whomever might have slipped in an editor and created it.”