Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
FaceTime for Mac Beta Opens Up Security Hole to Allow for Compromised Apple IDs
- Thread starter MacRumors
- Start date
- Sort by reaction score
If I had access to your computer, the last thing I would go for is FaceTime to get your info...
This isn't huge. This is a minor bug.If you let anyone at your computer without care, the least of your worries is FaceTime. Can you say "Keylogger"?
Wait, so if I'm doing a FaceTime with my mom she can actually change my AppleID password??? She also can find out my date of birth??? Or figure out the answer to my security question of what the name of my first pet was????? I certainly better not change my password question to my mother's maiden name as that is where I draw the line on what she shouldn't be able to see. Please don't anyone tell my mom that she has access to this.
And if I get that anonymous facetime request for a chat I'll make sure to accept it so Mr. Random bad guy can get my information and then I'll blame Apple for the security hole
Moving on.
Reading it all over, I now see that I was in error. My mom won't even have access to this stuff if we are doing a video chat (Thank God!). It is only if she is sitting at my computer working on it. She can then open up FaceTime and get the info. I better up the security on my house. I realize that a laptop can fall into the wrong hands, but if somebody malicious has access to your laptop do you think the first thing they will do is care about your AppleID? I think your bank and brokerage passwords are a little more important.
I think the security point that shouldn't be ignored is this:
A software should NEVER permit anyone to change the password without first typing in the OLD password as confirmation. This is why web services ALWAYS ask you to confirm your OLD password before changing your password even though you're already logged in.
Even if I were to have physical access to your computer, I shouldn't be able to change that Apple ID password without confirming your old password, period. That's a security oversight and should be fixed. Arguing physical access is required is moot, since this is a fundamental decision flaw in security.
A software should NEVER permit anyone to change the password without first typing in the OLD password as confirmation. This is why web services ALWAYS ask you to confirm your OLD password before changing your password even though you're already logged in.
Even if I were to have physical access to your computer, I shouldn't be able to change that Apple ID password without confirming your old password, period. That's a security oversight and should be fixed. Arguing physical access is required is moot, since this is a fundamental decision flaw in security.
While I totally agree - people keep ignoring the fact that this issue/security risk is still real for those computers that are not PERSONAL computers but are in labs, libraries, schools, etc.
I don't think anyone would argue that physical access to ones OWN computer is much of a risk.
Crap Story...
Shame on you MacRumors for posting this story that only noobs think is an issue. Any real Mac user who thinks this is a huge issue is an idiot and should have their Apple products taken away. Don't leave your machine unattended without being password protected. End of story, problem solved.
Shame on you MacRumors for posting this story that only noobs think is an issue. Any real Mac user who thinks this is a huge issue is an idiot and should have their Apple products taken away. Don't leave your machine unattended without being password protected. End of story, problem solved.
It's an issue until it's fixed (which it seems already is), for public computers. Imagine someone signing into FaceTime from a public computer and his/her password is REMEMBERED automatically and then anyone else can change it later. That's the problem...
This is the dumbest post yet (well all the Verizon posts are pretty meaningless as well). Common Sense ............ is there an app for that!
Trolling much? It was fixed even before you made this post. Anyone who actually is upset about this would have checked out the flaw themselves to see how bad it is and if it's been fixed yet.
I would really like to see MR and other sites update their post mentioning that it is fixed. They did a great job reporting this issue, but Apple also did a great job responding immediately with a hotfix.
The panel that reveals this information no longer works, i'd imagine Apple just sends back a "no go" response which tells the application to revert back to the previous page.
Crisis averted people, it is beta software and they made a little screw up, go back into your tinfoil wrapped holes to avoid the enemy stealing your thoughts.
The flaw helped me, sort of...
Yeah I noticed this earlier when I was fiddling around with the settings to see if I could easily change my location.
Funny enough is that when presented with my secret question and answer I realized I didn't have a clue as to what they were, so not even I could have answered and reset my password this way, LOL.
Yeah I noticed this earlier when I was fiddling around with the settings to see if I could easily change my location.
Funny enough is that when presented with my secret question and answer I realized I didn't have a clue as to what they were, so not even I could have answered and reset my password this way, LOL.
I can't replicate this on mine either. Going into Preferences -> Accounts -> View Account simply shows a blank screen that with "Cancel" and "Done" on top. A second later it goes back to Accounts automatically.
Apple appears to have a workaround for the problem already.
Apple appears to have a workaround for the problem already.
Good to hear that the issue has been resolved.
I do think it's funny everyone talking about responsibility. It's a two-way street, programmers needs to be responsible too - and the fact that it got fixed so quickly means that it's a big deal. This type of bug should be found before a program reaches the beta stage.
You can preach user responsibility all you want but you can't control the unexpected (someone forcefully steals your computer while you're using it or a team of thieves manages to briefly distract while they take your computer - not likely scenarios, but certainly possible).
I do think it's funny everyone talking about responsibility. It's a two-way street, programmers needs to be responsible too - and the fact that it got fixed so quickly means that it's a big deal. This type of bug should be found before a program reaches the beta stage.
You can preach user responsibility all you want but you can't control the unexpected (someone forcefully steals your computer while you're using it or a team of thieves manages to briefly distract while they take your computer - not likely scenarios, but certainly possible).
Good point, I didn't consider public computers.
Looks like there has been a fix put out already anyway.
Wow, fail! I'm glad I think Facetime is worthless and will never use it...
Yes, I imagine the value of FaceTime increases with the quality of your face.
They don't give you a beta, and u whine about it. they give you a beta and you whine why it is so late......
you swear 5 million people are on a team at Apple working on that ONE specific need you have to make sure YOU are satisfied....
Installing Beta software on a public computer and putting your private information at risk is REAL smart......
Yeah, but how many people get to install beta software on public computers? Most of those computers don't give you install rights (for obvious reasons).
this is a little disturbing
I have no intention or desire to use FaceTime any time soon. I never use the video/cameras etc. on my Apple stuff anyway. I guess I'm just a bit bummed that folks outside of Apple have to make these breaches public (why aren't they catching this before it's released. Which is what I say about the hardware issues as well.)
I have no intention or desire to use FaceTime any time soon. I never use the video/cameras etc. on my Apple stuff anyway. I guess I'm just a bit bummed that folks outside of Apple have to make these breaches public (why aren't they catching this before it's released. Which is what I say about the hardware issues as well.)
This isn't the real issue for me...
I'm not as concerned about this being a problem, simply because I don't just leave my MBP just laying around where others could take it, use it, etc..
What does concern me is Facetime's ability to actually launch the application when you receive a Facetime request. I downloaded the beta last night and was playing with it and discovered that even if the Facetime app isn't running, if someone tries to contact you via your email address, it will actually launch the Facetime application to start the Facetime session. This means that there is a service running on my Mac, that listens for requests from the Internet and has enough authority to actually launch an application on my computer.
Granted I have not researched this area very much, but just on the surface this seems VERY problematic....
I'm not as concerned about this being a problem, simply because I don't just leave my MBP just laying around where others could take it, use it, etc..
What does concern me is Facetime's ability to actually launch the application when you receive a Facetime request. I downloaded the beta last night and was playing with it and discovered that even if the Facetime app isn't running, if someone tries to contact you via your email address, it will actually launch the Facetime application to start the Facetime session. This means that there is a service running on my Mac, that listens for requests from the Internet and has enough authority to actually launch an application on my computer.
Granted I have not researched this area very much, but just on the surface this seems VERY problematic....
Who says the user has to install it. Maybe you're at best buy and the managers loaded it to showcase facetime.
Maybe you're at a public workstation where the owners have installed it to attract more users/offer the latest capabilities
Point is - people need to look beyond their personal "bubbles" and realize that their situation doesn't equate to ALL situations.
There is a reason why it's beta, so people can test it out, find bugs and fix them. It is a bit sad that this one slipped through their internal testing, but as with all software, mistakes happen. That's why it's beta.
Thankfully Apple is great when it comes to this stuff and responds very quickly, and that's why it's already been fixed.
In preferences you can turn this off. I do think that it shouldn't be "hidden" in preferences - but via a status on/off when you open the program
You can easily fix this by turning off FaceTime in preferences before you close it. It would be nice for them to have an option in preferences that allows you quickly toggle option of running a background service, but still have it work while FaceTime is running. It is beta though after all, so maybe it's coming.