Major flaw in Apple mobile devices software could allow hackers to access email: report
22 Feb 2014
A major flaw in Apple Inc software for mobile devices could compromise email and other communications that are meant to be encrypted, says a communication from the company, and according to experts, Mac computers were even at risk.
If attackers gained access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. The same could be done by governments having access to telecom carrier data.
Reuters quoted cryptography professor Matthew Green as saying it was as bad as one could imagine.
Apple made no reference to when or how it learned about the flaw in the way iOS handled sessions in what are known as secure sockets layer or transport layer security. It also did not say whether the flaw was being exploited.
However, a statement on its support web site stated matter-of-factly: the software "failed to validate the authenticity of the connection."
The iPhone maker released the software patches as also an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.
Meanwhile, endgadget.com reported that Apple had quietly pushed out iOS 7.0.6 and 6.1.6 -- small updates that addressed a hitherto unknown security issue with its mobile OS. The company said in its security notes that the previous versions of iOS was missing key SSL validation steps that kept secure transport from validating authentic connections, which made it possible for "attackers with a privileged network position" to "capture or modify data in sessions protected by SSL/TLS."
Devices running iOS were therefore failing to protect themselves on shady networks, a fact that was not known to users. According to the report, it was not known whether the security flaw as known outside of Cupertino, but it certainly was now.
The report in an update, goes on to say that researchers claimed to have found evidence that OS X too had SSL validation issues. Security firm Crowdstrike said on analysing the iOS updates it found evidence that both of Apple's platforms were vulnerable to man-in-the-middle attacks. Apple is expected to push a fix for OS X soon, but users would for now be better off avoiding shady WiFi hotspots and updating only on trusted networks.