Apple’s security protocol breach is nearly as bad as handing your credit card straight to a hacker rather than making them steal the information through the magnetic stripe readers.
The flaw in Apple’s iOs and OS X platforms essentially allows a hacker to get in between the initial verification “handshake” connection between the user and the destination server, enabling the adversary to masquerade as a trusted endpoint. This means the connection which is supposed to be encrypted between you and your bank, email server, healthcare provider and more is open to attack.
Security experts across the web recommend updating iPhones and iPads with the available iOS patches now, and using browsers other than Safari for OS X systems without an available Apple fix.
Usually to achieve encrypted web traffic, a handshake is accomplished through a Secure Sockets Layer — SSL for short — or more recently, Transport Layer Security, or TLS; both are Internet protocols that provide a secure channel between two machines operating over the Internet or an internal network.
The full severity of the security flaw has yet to surface, but the duplicated line of code which is causing all the ruckus has been in place since September 2012. This means theoretically that if you’ve been using the flawed iOS or OS X systems since then, a hacker on your shared network could have captured all your data that should have been SSL- or TSL-encrypted for the past 18 months.
Think of all the banking, online dating, email writing and Internet purchases you’ve made in the last year and a half.
The SSL/TLS effort requires nearly zero interaction from us — the users — but you may be familiar with the little lock icon that appears on the browser, indicating a secure connection has been achieved. This is where the Apple flaw comes in; anyone using the same network connection — the person sitting next to you at the coffee shop or at work right now — could fake the secure connection and intercept communication between your browser and a site.
Even worse, the flaw allows for modification of the “data in flight,” meaning a hacker could deliver exploits to take control of your system, according to Crowdstrike. And other applications that you may not immediately associate with Internet browsing are affected as well.
Apple released a fix to the flaw housed in iOs 6 and 7 authentication logic, but the company only says the OS X fix is coming “very soon,” according to Reuters. This means Mac desktops and notebooks are still vulnerable to man-in-the-middle attacks.
Apple’s support page says the company will not “disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” but describes the fail was addressed by “restoring missing validation steps.”
Apple did not immediately respond to TheBlaze for clarification on how soon fixes for Mac desktops and notebooks will be available.
Follow Elizabeth Kreft (@elizabethakreft) on Twitter