BreachExchange mailing list archives
Apple's FaceTime for Mac Hit by Password Security Breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sat, 23 Oct 2010 23:33:36 -0400
http://www.pcmag.com/article2/0,2817,2371245,00.asp Apple brought a beta version of its FaceTime video chat service to the Mac on Wednesday, but does it include a security flaw that could put the security of your Apple password at risk? A post on Macworld Germany claims that if you log-in to your account via FaceTime for Mac, the password can be changed without supplying the existing password. So if you walk away, someone could sit down at your Mac computer and change the password, which would apply across all Apple products, including iTunes. After the security hole made the rounds in the blogosphere, Apple Insider reported that clicking "View Account" - where the passworddata was housed - no longer worked. Testing at PCMag labs confirmed that the View Account button had been disabled, presumably as an interim measure ahead of a better fix. Apple's security update page has not been updated since yesterday. Apple did not immediately respond to a request for comment. The ability to easily change a password is definitely a misstep, but as several blogs have noted, the chance of someone leaving their FaceTime-enabled Mac unattended in a public space long enough for someone to change a password seems unlikely; unless they have particularly mischevious roommates, family members, or co-workers. Until the "View Account" functionality was disabled, meanwhile, users could just as easily change the password back. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Apple's FaceTime for Mac Hit by Password Security Breach Jake Kouns (Oct 24)