Once a user has logged into FaceTime, anyone with access to the machine can change the user's Apple ID password without knowing the old password.
Of course, it's just as easy to change it back, if the victim notices.
EDITED TO ADD (11/9): It's been fixed.
Posted on October 22, 2010 at 5:45 AM • 15 Comments
isn't that why it's called a "beta"?
BF Skinner • October 22, 2010 6:28 AM
It's a feature. Passwords are so pesky.
Stuart Gibson • October 22, 2010 6:36 AM
Apple have already disabled this from their end. Attempts to view this information result in the app returning to the previous pane.
But yes, it is a very beta beta.
And you can bet it's still just as easy to change someone's Apple ID (or other) password from their PC without knowing it anyway. How many people save their password in their email client? Send a password reset from the web site, open up the email client...
Or just install a key logger.
Yes, it's a flaw; it should never have been released like this even in a beta. Giant it isn't though.
Leave your workstation unattended, unlocked in an insecure environment and bad things can happen.
Jon • October 22, 2010 7:48 AM
You can reset the admin password on a Mac in 3 minutes without the cd. I had to do it at work this week and it's shockingly easy. If you have physical access to the machine you have access to everything on the machine. FaceTime didn't change that
http://theappleblog.com/2008/06/22/reset-os-x-password-without-an-os-x-cd/
bob • October 22, 2010 7:54 AM
@Jon
If you have physical access to the machine you always have access to everything on the machine unless there's disk encryption. Admin passwords are to stop end users doing silly things, they're not particularly solid security.
BF Skinner • October 22, 2010 9:25 AM
@bob "unless there's disk encryption. "
And sometimes even then.
andy • October 22, 2010 10:07 AM
using an open firmware password will prevent from unauthorized use of the new admin account tip.
Doug • October 22, 2010 10:17 AM
Except that you can reset the firmware password fairly easily.
Jesus Quintana • October 22, 2010 11:36 AM
I remember the ads touting OS X as having legendary security. Laughable man, HAH!
I was gonna hack you on Saturday, now I'm gonna hack you on Wednesday. Nobody's secure from the Jesus, man!
Lan Colshaw • October 22, 2010 12:38 PM
"legendary security" ... yes, this was the OS that originally got its software updates across a plain TCP connection. Now _that_ was legendary.
Watching Apple's OS grow from its start as a perfectly secure OS layered with some of the least secure GUI code ever written has been very entertaining. I think they genuinely thought "we're BSD now, so someone's taken care of all of the security for us."
So while Windows internals are insecure, Mac has secure internals, but every bit of code Apple writes makes it less secure.
By the way, it's already been fixed http://www.electronista.com/articles/10/10/22/embarrassing.vulnerability.patched.pronto/
wilhelmtell • October 22, 2010 7:03 PM
If you try to sign in to facetime with a bad password then facetime will remember that bad password the next time you start it. so you can change the password, sign out, then try to sign in with a bad password and you will keep the user out.
Davi Ottenheimer • October 22, 2010 7:47 PM
A fine example of Apple releasing code without a security review; or their security review process is so broken it does not catch basic authentication flaws.
All anyone had to ask was "Can the password can be changed without supplying the existing password?" and FaceTime would have been sent back for remediation. This is a pre-beta question.
It begs the question of other poor practices by the same development team.
Subscribe to comments on this entry
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..
Leave a comment