It Took Apple 3 Years To Fix An iTunes Flaw That Allowed Government & Police To Spy On You

By

itunes-on-mac

Thanks to the success of Apple’s iOS devices and its iTunes music store, the company’s iTunes software is installed on more than 250 Million Macs and PCs all over the world, making it one of the most popular media players available. It may not have been so popular, however, had users known it came with a security flaw that allowed government intelligence agencies and the police to monitor them.

A British company called Gamma International previously marketed a piece of software to governments, called FinFisher. The software took advantage of the iTunes exploit and allowed those with the software to spy on those who used the software.

What’s most worrying about this is that Apple allegedly found out about the flaw in 2008, according to Brian Krebs, a security writer. But the company did nothing about it until earlier this month when it released iTunes 10.5.1 — leaving the exploit open for over three years.

Krebs revealed in a blog post:

A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.

The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title.

Krebs reports that on average, it takes Apple just 91 days to fix security flaws in its software once they are discovered.

“Maybe they forgot about it, or it was just on the bottom of their to-do list,” said Francisco Amato, the Argentinian security researcher who alerted Apple to the issue.

However, Apple maintains it takes security issues seriously. In a response to claims that the FinFisher software targeted iTunes users, the company said it works “to find and fix any issue that could compromise systems,” and that “the security and privacy of our users is extremely important.”

Gamma International, a company which specializes in selling computer hacking services to governments, has chosen not to comment on the matter.

[via The Telegraph]