Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
56,549
19,294



113904-facetime_mac_icon.jpg


As related by MacNotes.de, Apple's new FaceTime for Mac beta application contains several security issues that could easily result in a user's Apple ID and iTunes Store account being compromised by individuals with physical access to the user's machine.

The primary issue appears to be FaceTime for Mac's display of account information, which reveals the user's date of birth and security question and answer for their account once signed in with their Apple ID, with no secondary request for password authentication. Consequently, anyone with physical access to a user's machine could view that information, which can then be used to reset the password for the account without requiring any email or other confirmation. The password can also be reset directly within the FaceTime application without a requirement that the current password be entered.

And while a user should in theory be able to address this issue by signing out of their account in FaceTime, the application automatically remembers the account details for the last-used account and pre-populates them the next time the application is opened or a sign-in is attempted.

Obviously there are any number of ways that sensitive information could be viewed or compromised by individuals with physical access to a user's machine, but the FaceTime application seems to make such actions remarkably easy, making private account reset information plainly visible at any point after initial log-in to the service.

Article Link: FaceTime for Mac Beta Opens Up Security Hole to Allow for Compromised Apple IDs
 

TheYankees1903

macrumors regular
Jan 23, 2008
150
0
So don't leave your computer around people you don't trust. If you do, leave it password protected. Who really cares?

ThaYankees1903 :apple:
 

RodThePlod

macrumors 6502a
Sep 7, 2005
712
192
London
While it's no excuse for lax programming, this is BETA software and is therefore bound to contain issues such as this.

I hope they filed a bug report with Apple...
 

Xian Zhu Xuande

macrumors 6502a
Jul 30, 2008
904
82
I wonder who's going to blow this one out of proportion. If someone has free access to your computer, logged in, to view any information they please, odds are your security problems are going to be much bigger unless you're rather paranoid or careful. Apple will probably touch this little bit up in the beta process.
 

JeffDM

macrumors 6502a
Sep 16, 2006
709
9
If someone has physical access to an electronic device, all bets are off on its security. This would be a concern if someone can remotely jack your computer.
 

Cydonia

macrumors member
Feb 25, 2009
98
0
Isle of Man
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7)

…and they can also see all your other files on the Mac!
 

Žalgiris

macrumors 6502a
Aug 3, 2010
934
0
Lithuania
I bet there are more than few that are using their NORMAL Apple ID (iTunes with credit card maybe) for this FaceTime app. What are you thinking?
 

griffd

macrumors newbie
Sep 16, 2006
27
2
Orlando, FL
fixed?

I just tried clicking the "View Account" button and it doesn't work - reverts to the previous panel - could they have already fixed this?
 

Cydonia

macrumors member
Feb 25, 2009
98
0
Isle of Man
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7)

Žalgiris said:
I bet there are more than few that are using their NORMAL Apple ID (iTunes with credit card maybe) for this FaceTime app. What are you thinking?

I'm thinking it's fine due to the fact you would require my password inorder to gain access to said FaceTime "issue"
 

pdjudd

macrumors 601
Jun 19, 2007
4,037
65
Plymouth, MN
If someone has physical access to an electronic device, all bets are off on its security. This would be a concern if someone can remotely jack your computer.
I cannot emphasis this most of all. Security is never uncompromisable or unbeatable. There are two vectors of attack that you can pretty much never guard against. The first is an ignorant user who blindly does things they don't understand. The second is someone getting physical access to your device.

If someone can achieve (or compromise) just one of these vectors, it's game over any anything is possible.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.