MacNN Forums (http://forums.macnn.com/)
-   Mac News (http://forums.macnn.com/mac-news/)
-   -   Apple plugs security hole in App Store connections (http://forums.macnn.com/112/mac-news/498730/apple-plugs-security-hole-app-store/)

 
NewsPoster Mar 8, 2013 06:37 PM
Apple plugs security hole in App Store connections
After first being alerted to the potential problem <a href="http://elie.im/blog/web/apple-finally-turns-https-on-for-the-app-store-fixing-a-lot-of-vulnerabilities/#.UTl3P-hbxOR">last summer</a>, Apple has addressed a <a href="http://appleinsider.com/articles/13/03/08/apple-adds-encryption-to-app-store-connections-addresses-six-month-old-hole">potential security issue</a> with connections to the App Store and is now encrypting active content over HTTPS by default as of late last month. A Google security researcher pointed out the potential for an attack in July, noting that a malicious network attacker could conceivably field user passwords, scan the apps on a user's device or even trick users into downloading fake upgrades or prevent an app from installing.<br /><br />Apple patched the issue on <a href="http://macnn.com/rd/280640==http://support.apple.com/kb/HT1318" rel='nofollow'>February 23</a> and acknowledged Google's <a href="http://macnn.com/rd/280641==http://elie.im/about" rel='nofollow'>Elie Bursztein</a> along with two others for finding the vulnerability. No known exploits of the issue have been uncovered, but the fix closes the possibility of any future abuse. Bursztein posted some videos (seen below) on how the attack might have worked, along with technical details of the methodology shortly before Apple updated its servers to use HTTPS for certain connections.

The company has periodically beefed up security for the App Store, for example now requiring users to answer security questions when they log into the store from a new device. As noted by <em>AppleInsider</em>, the company also plugged issues that saw incidents of account fraud back in 2009 and 2010 that caused some users to be <a href="http://macnn.com/rd/280642==http://www.macnn.com/articles/09/06/23/apple.battles.fake.cards/" rel='nofollow'>erroneously charged</a> for <a href="http://macnn.com/rd/280643==http://www.macnn.com/articles/10/07/12/artificially.boosts.chinese.travel.apps/" rel='nofollow'>hundreds of dollars</a> in purchases made with fake or stolen credit cards.


<div align="center"><iframe width="500" height="281" src="http://www.youtube-nocookie.com/embed/b7MQjLVkekg?rel=0" frameborder="0" allowfullscreen></iframe>


<iframe width="500" height="281" src="http://www.youtube-nocookie.com/embed/epcS_s2E-rA?rel=0" frameborder="0" allowfullscreen></iframe>


<iframe width="500" height="281" src="http://www.youtube-nocookie.com/embed/qTkxmfkw7iQ?rel=0" frameborder="0" allowfullscreen></iframe></div>
 
shifuimam Mar 9, 2013 03:27 PM
Wow...so Apple let this hole stay wide open for more than SIX MONTHS? Are you kidding me?

Also, I'd rewrite this part, because it's unclear:

Quote
As noted by AppleInsider, the company also plugged issues that saw incidents of account fraud back in 2009 and 2010 that caused some users to be erroneously charged for hundreds of dollars in purchases made with fake or stolen credit cards.
The grammar is a bit off and makes the statement somewhat vague - did this security update patch exploits found in 2009 or 2010? From the linked articles it sounds like those exploits were fixed shortly after they were discovered, and the above doesn't make that clear.
 
cgc Mar 9, 2013 04:26 PM
Quote, Originally Posted by shifuimam (Post 4220932)
Wow...so Apple let this hole stay wide open for more than SIX MONTHS? Are you kidding me?

Also, I'd rewrite this part, because it's unclear:



The grammar is a bit off and makes the statement somewhat vague - did this security update patch exploits found in 2009 or 2010? From the linked articles it sounds like those exploits were fixed shortly after they were discovered, and the above doesn't make that clear.
It sounds there was account fraud only in 2009 and 2010. Articles in all media seem to be written more poorly than ten years ago...editing is a lost art perhaps.
 
All times are GMT -4. The time now is 09:03 AM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2016, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2