Apple's FaceTime for Mac Hit by Password Security Breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.pcmag.com/article2/0,2817,2371245,00.asp

Apple brought a beta version of its FaceTime video chat service to the
Mac on Wednesday, but does it include a security flaw that could put
the security of your Apple password at risk?

A post on Macworld Germany claims that if you log-in to your account
via FaceTime for Mac, the password can be changed without supplying
the existing password. So if you walk away, someone could sit down at
your Mac computer and change the password, which would apply across
all Apple products, including iTunes.

After the security hole made the rounds in the blogosphere, Apple
Insider reported that clicking "View Account" - where the passworddata
was housed - no longer worked. Testing at PCMag labs confirmed that
the View Account button had been disabled, presumably as an interim
measure ahead of a better fix.

Apple's security update page has not been updated since yesterday.

Apple did not immediately respond to a request for comment.

The ability to easily change a password is definitely a misstep, but
as several blogs have noted, the chance of someone leaving their
FaceTime-enabled Mac unattended in a public space long enough for
someone to change a password seems unlikely; unless they have
particularly mischevious roommates, family members, or co-workers.
Until the "View Account" functionality was disabled, meanwhile, users
could just as easily change the password back.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/