Security Consultant Takes Less Than One Day To Exploit OS X ‘Goto Fail’ Bug

Screen_Shot_2014-02-25_at_12

In a new blogpost, New Zealand security consultant Aldo Cortesi notes that it took him less than one day to develop a proof of concept for the critical OS X SSL/TLS bug, known as “goto fail”.

By doing this Cortesi has confirmed in practice what people were already worried about in theory: that thanks to the bug — thought to be the result of a line of erroneous code — almost all encrypted traffic, including usernames, passwords, and even Apple app updates can potentially be captured.

“I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks,” Cortesi wrote.

“It’s difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic.”

While Cortesi has said that he will not release his proof of concept until well after Apple has patched the problem, it demonstrates again what a serious problem this represents. “Of course, intelligence agencies have no doubt been on top of this for some time,” Cortesi notes, before going on to suggest that, “perhaps some of the inflammatory Sochi security horror stories were plausible after all.”

At the time of writing, Apple had still not released a patch for OS X Mavericks, despite patching iOS over the weekend.
  • digitaldumdum

    I don’t understand all the chatter about how terrible this is, and how it could have wrecked the whole world. The iOS vulnerability was found and addressed, both unofficially in the jailbreak world and officially by Apple, and within what I’d consider a record amount of time. And the OS X vulnerability was addressed by Apple in almost the same time frame. Done. It’s as though no other company ever made a mistake! Blame Apple for having the problem present for a long time before anyone knew if you wish, but then, was anyone compromised?

    C’mon. The problem has been fixed, the sky isn’t falling, and Apple was proactive.

    • http://www.sutanaryan.com/ Ryan S

      yet Microsoft and Android do provide security patches and no once care duhhh

  • lucascott

    Or they simply created a script that detected your OS version and browser and if it saw Safari and anything other than 7.0.6 it gives you this warning.

    No one has actually shown an actual attack based on this ‘flaw’. No one has shown that it existed before Apple released the patch.

    And these tests etc are just someone that saw the details of the update and decided before applying it to try to find what might be wrong with iOS that caused them to need to patch it.

    But in the end all the dire talk is just over done. The vectors for attack aren’t that wide open, especially since folks have been saying for years not to do banking etc on public networks cause someone might figure out a way to snope.

About the author

Luke DormehlLuke Dormehl is a UK-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Formula: How Algorithms Solve All Our Problems, And Create More and The Apple Revolution, both published by Penguin/Random House. His tech writing has also appeared in Wired, Fast Company, Techmeme, and other publications. He'd like you a lot if you followed him on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , |