Security Consultant Takes Less Than One Day To Exploit OS X ‘Goto Fail’ Bug

By

Screen_Shot_2014-02-25_at_12

In a new blogpost, New Zealand security consultant Aldo Cortesi notes that it took him less than one day to develop a proof of concept for the critical OS X SSL/TLS bug, known as “goto fail”.

By doing this Cortesi has confirmed in practice what people were already worried about in theory: that thanks to the bug — thought to be the result of a line of erroneous code — almost all encrypted traffic, including usernames, passwords, and even Apple app updates can potentially be captured.

“I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks,” Cortesi wrote.

“It’s difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic.”

While Cortesi has said that he will not release his proof of concept until well after Apple has patched the problem, it demonstrates again what a serious problem this represents. “Of course, intelligence agencies have no doubt been on top of this for some time,” Cortesi notes, before going on to suggest that, “perhaps some of the inflammatory Sochi security horror stories were plausible after all.”

At the time of writing, Apple had still not released a patch for OS X Mavericks, despite patching iOS over the weekend.

Source: Corte.si

Via: ZDnet

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.