Quartz Composer / QuickTime 7 information leakage

Discussion in 'MacBytes.com News Discussion' started by MacBytes, May 12, 2005.

  1. macrumors bot

    Joined:
    Jul 5, 2003
    #1
  2. Administrator emeritus

    Mudbug

    Joined:
    Jun 28, 2002
    Location:
    North Central Colorado
    #2
    if you're a bit timid to try the proof of concept page, this is what you would have seen:
     

    Attached Files:

  3. Administrator emeritus

    Mudbug

    Joined:
    Jun 28, 2002
    Location:
    North Central Colorado
    #3
    I think one of the things most interesting to me about this is that this could potentially be seen as a very easy way of devising spyware for OS X 10.4, and Secunia only rates it as "non-critical". I think unintended sharing of data in any way, shape, form, or fashion constitutes a rather "critical" problem to deal with. Granted, it's easy to turn off for now, but still should probably be bumped up the critical scale a little IMHO.
     
  4. macrumors 6502a

    Flying Llama

    Joined:
    Aug 4, 2004
    Location:
    Los Angeles
    #4
    Well, at least the most important thing they can see is your long username, but...

    on the hash page (the page with the results) I don't see my username of anything, just a bunch of random letters and numbers, does this mean i'm not vulnerable? :cool:
     
  5. Administrator emeritus

    Mudbug

    Joined:
    Jun 28, 2002
    Location:
    North Central Colorado
    #5
    keep in mind that what appears random to you can probably be rather easily dissected by someone else into a pack of data that makes sense.
     
  6. macrumors 6502a

    crap freakboy

    Joined:
    Jul 17, 2002
    Location:
    nar in Gainsborough, me duck
    #6
    I'm sure its all very interesting but my frontal lobes went into meltdown and I fell asleep.
     
  7. macrumors 6502a

    Gizmotoy

    Joined:
    Nov 6, 2003
    #7
    No, it means you are vulnerable. What you are looking at is the MD5 hash (Typically used for CRC checking, if you're not familiar) of your username, because the author of that website is using it for demonstration purposes only. If you take the MD5 hash of your known long username, it should match what is displayed on that page. As mentioned in the article, they could easily collect and transmit a number of pieces of information about you without performing the hash first, leaving your information out in the open.
     
  8. macrumors regular

    Paul O'Keefe

    Joined:
    Jan 23, 2005
    #8
    Special topics or BUGS

    Instead of being labelled "Special topic" on MacBytes I think these sorts of things should be labelled "Bugs" or something.
     
  9. macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #9
    Huh...so we can expect another front page news.com article about how OS X is so insecure and it’s the end of the world and such. Great.
     
  10. macrumors 65816

    narco

    Joined:
    Dec 9, 2003
    Location:
    California.
    #10
    First the Safari thing, now this? Kind of scary, but I have confidence that Apple will fix this like they normally do.

    Fishes,
    narco.
     
  11. macrumors member

    Joined:
    May 25, 2003
    Location:
    Bay Area, CA
    #11
    crash

    The concept page worked the first time that I tried it, but now Safari crashes each time! The reason?

    Safari *** Quartz Composer QuickTime Component: Ignored exception in _QCRuntime_SetUp() at line 492
    -[QCImageLoader _Cleanup]: Patch is not running
    crashdump: Safari Crashed
     

Share This Page