Schneier on Security
A blog covering security and security technology.
« Electronic Car Lock Denial-of-Service Attack |
| Video Interview with Me from RSA Europe »
October 22, 2010
FaceTime for Mac Security Hole
Once a user has logged into FaceTime, anyone with access to the machine can change the user's Apple ID password without knowing the old password.
Of course, it's just as easy to change it back, if the victim notices.
EDITED TO ADD (11/9): It's been fixed.
Posted on October 22, 2010 at 5:45 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
isn't that why it's called a "beta"?
It's a feature. Passwords are so pesky.
Apple have already disabled this from their end. Attempts to view this information result in the app returning to the previous pane.
But yes, it is a very beta beta.
And you can bet it's still just as easy to change someone's Apple ID (or other) password from their PC without knowing it anyway. How many people save their password in their email client? Send a password reset from the web site, open up the email client...
Or just install a key logger.
Yes, it's a flaw; it should never have been released like this even in a beta. Giant it isn't though.
Leave your workstation unattended, unlocked in an insecure environment and bad things can happen.
You can reset the admin password on a Mac in 3 minutes without the cd. I had to do it at work this week and it's shockingly easy. If you have physical access to the machine you have access to everything on the machine. FaceTime didn't change that
If you have physical access to the machine you always have access to everything on the machine unless there's disk encryption. Admin passwords are to stop end users doing silly things, they're not particularly solid security.
@bob "unless there's disk encryption. "
And sometimes even then.
Except that you can reset the firmware password fairly easily.
I remember the ads touting OS X as having legendary security. Laughable man, HAH!
I was gonna hack you on Saturday, now I'm gonna hack you on Wednesday. Nobody's secure from the Jesus, man!
"legendary security" ... yes, this was the OS that originally got its software updates across a plain TCP connection. Now _that_ was legendary.
Watching Apple's OS grow from its start as a perfectly secure OS layered with some of the least secure GUI code ever written has been very entertaining. I think they genuinely thought "we're BSD now, so someone's taken care of all of the security for us."
So while Windows internals are insecure, Mac has secure internals, but every bit of code Apple writes makes it less secure.
If you try to sign in to facetime with a bad password then facetime will remember that bad password the next time you start it. so you can change the password, sign out, then try to sign in with a bad password and you will keep the user out.
A fine example of Apple releasing code without a security review; or their security review process is so broken it does not catch basic authentication flaws.
All anyone had to ask was "Can the password can be changed without supplying the existing password?" and FaceTime would have been sent back for remediation. This is a pre-beta question.
It begs the question of other poor practices by the same development team.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.