In a new blogpost, New Zealand security consultant Aldo Cortesi notes that it took him less than one day to develop a proof of concept for the critical OS X SSL/TLS bug, known as “goto fail”.
By doing this Cortesi has confirmed in practice what people were already worried about in theory: that thanks to the bug — thought to be the result of a line of erroneous code — almost all encrypted traffic, including usernames, passwords, and even Apple app updates can potentially be captured.
“I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks,” Cortesi wrote.
While Cortesi has said that he will not release his proof of concept until well after Apple has patched the problem, it demonstrates again what a serious problem this represents. “Of course, intelligence agencies have no doubt been on top of this for some time,” Cortesi notes, before going on to suggest that, “perhaps some of the inflammatory Sochi security horror stories were plausible after all.”