Security Consultant Takes Less Than One Day To Exploit OS X ‘Goto Fail’ Bug

Screen_Shot_2014-02-25_at_12

In a new blogpost, New Zealand security consultant Aldo Cortesi notes that it took him less than one day to develop a proof of concept for the critical OS X SSL/TLS bug, known as “goto fail”.

By doing this Cortesi has confirmed in practice what people were already worried about in theory: that thanks to the bug — thought to be the result of a line of erroneous code — almost all encrypted traffic, including usernames, passwords, and even Apple app updates can potentially be captured.

“I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks,” Cortesi wrote.

“It’s difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic.”

While Cortesi has said that he will not release his proof of concept until well after Apple has patched the problem, it demonstrates again what a serious problem this represents. “Of course, intelligence agencies have no doubt been on top of this for some time,” Cortesi notes, before going on to suggest that, “perhaps some of the inflammatory Sochi security horror stories were plausible after all.”

At the time of writing, Apple had still not released a patch for OS X Mavericks, despite patching iOS over the weekend.
Related

About the author

Luke DormehlLuke Dormehl is a UK-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Apple Revolution, published by Random House, and is currently writing a book about algorithms for Random House/Penguin to be published in 2014. He also covers the digital humanities for Fast Company. He'd like you a lot if you followed him on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , |