In a new blogpost, New Zealand security consultant Aldo Cortesi notes that it took him less than one day to develop a proof of concept for the critical OS X SSL/TLS bug, known as “goto fail”.
By doing this Cortesi has confirmed in practice what people were already worried about in theory: that thanks to the bug — thought to be the result of a line of erroneous code — almost all encrypted traffic, including usernames, passwords, and even Apple app updates can potentially be captured.
On February 21st, Apple released iOS 7.0.6, a small software update that provided “a fix for SSL connection verification.” The same SSL fix was also released for older iOS 6 devices and the Apple TV. Apple pushes out smaller bug fixes from time to time, so at first glance 7.0.6 seemed like a pretty normal update.
But in reality, Apple patched a major security flaw that has potentially compromised millions of peoples’ data for years. Nicknamed “gotofail,” the bug has been flying under the radar for quite some time, and it still hasn’t been patched in OS X.