Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com

[ken at krvw.com (Kenneth Van Wyk)]

Hello SC-Lers,

I saw this blog and thought it may be of interest here:

http://blogs.zdnet.com/security/?p=2861

According to the blog, there's a design issue (read: flaw) in iTunes  
that can allow a maliciously formed podcast to cause a user to get  
prompted for a username/password -- to iTunes itself.  That dialog box  
can then be hijacked and the victim's credentials stolen.

What made it interesting to me was a couple things: first, the cited  
advisory from Apple (http://support.apple.com/kb/HT3487) clearly says  
it's a design issue.  Tells me we're not likely to see a real fix for  
a while, IMHO.  Indeed, Apple's initial "fix" to this design issue is,  
"This update addresses the issue by clarifying the origin of the  
authentication request in the dialog."  That doesn't sound like much  
of a fix at all, and I'd expect a lot of users will still fall for the  
dialog box ruse.  Sigh...

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com





-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://krvw.com/pipermail/sc-l/attachments/20090312/04c1b8b1/attachment-0001.bin