FaceTime for Mac Beta Opens Up Security Hole to Allow for Compromised Apple IDs

[MacRumors]

As related by MacNotes.de, Apple's new FaceTime for Mac beta application contains several security issues that could easily result in a user's Apple ID and iTunes Store account being compromised by individuals with physical access to the user's machine.

The primary issue appears to be FaceTime for Mac's display of account information, which reveals the user's date of birth and security question and answer for their account once signed in with their Apple ID, with no secondary request for password authentication. Consequently, anyone with physical access to a user's machine could view that information, which can then be used to reset the password for the account without requiring any email or other confirmation. The password can also be reset directly within the FaceTime application without a requirement that the current password be entered.

And while a user should in theory be able to address this issue by signing out of their account in FaceTime, the application automatically remembers the account details for the last-used account and pre-populates them the next time the application is opened or a sign-in is attempted.

Obviously there are any number of ways that sensitive information could be viewed or compromised by individuals with physical access to a user's machine, but the FaceTime application seems to make such actions remarkably easy, making private account reset information plainly visible at any point after initial log-in to the service.

Article Link: FaceTime for Mac Beta Opens Up Security Hole to Allow for Compromised Apple IDs

 

[TheYankees1903]

So don't leave your computer around people you don't trust. If you do, leave it password protected. Who really cares?

ThaYankees1903

 

[shartypants]

guess that is why it is beta.

 

[RodThePlod]

While it's no excuse for lax programming, this is BETA software and is therefore bound to contain issues such as this.

I hope they filed a bug report with Apple...

 

[Xian Zhu Xuande]

I wonder who's going to blow this one out of proportion. If someone has free access to your computer, logged in, to view any information they please, odds are your security problems are going to be much bigger unless you're rather paranoid or careful. Apple will probably touch this little bit up in the beta process.

 

[BJB Productions]

Don't be stupid. End of story.

 

[Statusnone88]

EVERYONE! Together! We will strengthen ourselves!

 

[Robert M.]

Wow, fail! I'm glad I think Facetime is worthless and will never use it...

 

[Xavier]

guess that is why it is beta.

Yup. But this is a huge security flaw. I will stay away from this until everything is sorted.

 

[dlewis23]

Well thats just fantastic...

 

[Žalgiris]

Now let's bash beta software for that.

 

[TimUSCA]

Meh... that's why it's beta. Plus, I don't leave my computer around those I don't trust.

 

[Bernard SG]

PEBKAc much?
hehehehe

 

[JeffDM]

If someone has physical access to an electronic device, all bets are off on its security. This would be a concern if someone can remotely jack your computer.

 

[fcortese]

Oops. Yes, I usually never go with a beta. I like to wait for the bugs/defects to be ironed out.

 

[Cydonia]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7)

…and they can also see all your other files on the Mac!

 

[Žalgiris]

I bet there are more than few that are using their NORMAL Apple ID (iTunes with credit card maybe) for this FaceTime app. What are you thinking?

 

[griffd]

fixed?

I just tried clicking the "View Account" button and it doesn't work - reverts to the previous panel - could they have already fixed this?

 

[paulmoscow]

It seems this bug is already kind of fixed.

 

[kirky29]

Well...it's a Beta.

 

[Cydonia]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7)

I bet there are more than few that are using their NORMAL Apple ID (iTunes with credit card maybe) for this FaceTime app. What are you thinking?

I'm thinking it's fine due to the fact you would require my password inorder to gain access to said FaceTime "issue"

 

[roratus]

Ooooppps......I bet someone is getting a tongue lashing over this.

 

[ShiftyPig]

Looks like we'll be seeing that Apple job posting again soon. What a lazy mistake.

 

[Full of Win]

Oh boo hoo hoo...its a beta test.

 

[pdjudd]

If someone has physical access to an electronic device, all bets are off on its security. This would be a concern if someone can remotely jack your computer.

I cannot emphasis this most of all. Security is never uncompromisable or unbeatable. There are two vectors of attack that you can pretty much never guard against. The first is an ignorant user who blindly does things they don't understand. The second is someone getting physical access to your device.

If someone can achieve (or compromise) just one of these vectors, it's game over any anything is possible.