FaceTime for Mac Security Hole

Once a user has logged into FaceTime, anyone with access to the machine can change the user's Apple ID password without knowing the old password.

Of course, it's just as easy to change it back, if the victim notices.

EDITED TO ADD (11/9): It's been fixed.

Posted on October 22, 2010 at 5:45 AM • 15 Comments

Comments

Stuart GibsonOctober 22, 2010 6:36 AM

Apple have already disabled this from their end. Attempts to view this information result in the app returning to the previous pane.

But yes, it is a very beta beta.

SOctober 22, 2010 7:11 AM

And you can bet it's still just as easy to change someone's Apple ID (or other) password from their PC without knowing it anyway. How many people save their password in their email client? Send a password reset from the web site, open up the email client...

Or just install a key logger.

Yes, it's a flaw; it should never have been released like this even in a beta. Giant it isn't though.

Leave your workstation unattended, unlocked in an insecure environment and bad things can happen.

JonOctober 22, 2010 7:48 AM

You can reset the admin password on a Mac in 3 minutes without the cd. I had to do it at work this week and it's shockingly easy. If you have physical access to the machine you have access to everything on the machine. FaceTime didn't change that

http://theappleblog.com/2008/06/22/...

bobOctober 22, 2010 7:54 AM

@Jon

If you have physical access to the machine you always have access to everything on the machine unless there's disk encryption. Admin passwords are to stop end users doing silly things, they're not particularly solid security.

Jesus QuintanaOctober 22, 2010 11:36 AM

I remember the ads touting OS X as having legendary security. Laughable man, HAH!

I was gonna hack you on Saturday, now I'm gonna hack you on Wednesday. Nobody's secure from the Jesus, man!

Lan ColshawOctober 22, 2010 12:38 PM

"legendary security" ... yes, this was the OS that originally got its software updates across a plain TCP connection. Now _that_ was legendary.

RHOctober 22, 2010 1:16 PM

Watching Apple's OS grow from its start as a perfectly secure OS layered with some of the least secure GUI code ever written has been very entertaining. I think they genuinely thought "we're BSD now, so someone's taken care of all of the security for us."

So while Windows internals are insecure, Mac has secure internals, but every bit of code Apple writes makes it less secure.

wilhelmtellOctober 22, 2010 7:03 PM

If you try to sign in to facetime with a bad password then facetime will remember that bad password the next time you start it. so you can change the password, sign out, then try to sign in with a bad password and you will keep the user out.

Davi OttenheimerOctober 22, 2010 7:47 PM

A fine example of Apple releasing code without a security review; or their security review process is so broken it does not catch basic authentication flaws.

All anyone had to ask was "Can the password can be changed without supplying the existing password?" and FaceTime would have been sent back for remediation. This is a pre-beta question.

It begs the question of other poor practices by the same development team.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..