Major App Store Vulnerability Leaves/Left Users Vulnerable to Password Theft

Discussion in 'iOS 6' started by SomeDudeAsking, Mar 9, 2013.

  1. SomeDudeAsking, Mar 9, 2013
    Last edited: Mar 9, 2013

    SomeDudeAsking macrumors 65816

    Joined:
    Nov 23, 2010
    #1
    After leaving users exposed, Apple fully HTTPS-protects iOS App Store

    [​IMG]

    http://arstechnica.com/security/2013/03/after-leaving-users-exposed-apple-finally-https-protects-ios-app-store/

    I'm surprised this isn't on the MacRumors front page since it is so important to know for users who have had their Apple accounts compromised in the past years. It is also unclear if you need the latest version of iOS with the latest version of the Apple App Store to be protected.
     
  2. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
  3. SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #3
    Oops, forgot the ArsTechnica link. OP edited.
     
  4. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #4
    Don't forget, you can also send tips to the editors for a story. :)

    http://www.macrumors.com/share.php
     
  5. DMH3006 macrumors regular

    Joined:
    Jun 16, 2011
    #5
    Over an unsecure wifi connection.
    Besides who's going to analyze data from the wifi hotspots?(i suppose thats what they mean by insecure wifi connections since most wifi home connections come with a password by default)
     
  6. SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #6
    You must be joking right? Ever heard of Firesheep? Or how about Droidsheep that runs on Android phones? Sniffing wifi hotspots is easy to do.

    And "unsecured Wi-Fi connection" does not just mean wifi hotspots with no password, it can also be wifi connections with passwords where the attacker is also connected. Ever been to a StarBucks, McDonalds, university or an airport? Yeah. An attacker can also just have his own public wifi hotspot with a familiar name and bam, you are owned.
     
  7. macUser2007 macrumors 65832

    Joined:
    May 30, 2007
    #7
    Uhm, people who are at best bored, or at worst malicious....:rolleyes:

    Half of the Starbucks patrons I see are browsing the internets, often on iOS devices.

    This is a real issue and I cannot believe anyone halfway reasonable can defend Apple for ignoring it for so long.
     
  8. DMH3006 macrumors regular

    Joined:
    Jun 16, 2011
    #8
    its then an issue to the place you are connected to.
    while they should have protected it better they didn't but there's still some good sense in using important data on wifi places that you know are very reliable.

    Do you access banking information on those wifi hotspots? of course not,an apple id to me applies the same way as it as credit card information too.

    you can of course feel different about this
     
  9. SomeDudeAsking, Mar 10, 2013
    Last edited: Mar 10, 2013

    SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #9
    So its no fault of Apple's for not using basic encryption properly, huh? And are you going to start body searching everyone at a public wifi hotspot to see if they have a device running Firesheep, Droidsheep, or any number of intercept tool's?
     
  10. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #10
    I do, but I'm comfortable with how https works.

    Thing is, using a browser to access your bank, the browser will show you the icon that indicates when your data is being encrypted. Most use a lock icon. So if the bank screws up an area of their website and makes it not secure, you will know.

    The App Store app doesn't give you any visible icon that shows if your data is being sent securely or not. If Apple screws up a part of their store (like they apparently did), you're vulnerable.

    I'd guess that 99% folks trusted Apple to have done App Store security properly, meaning there would be no reason NOT to use it on public wifi.
     
  11. SomeDudeAsking, Mar 10, 2013
    Last edited by a moderator: Mar 10, 2013

    SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #11
    So it was no big deal that our Apple ID passwords could have been intercepted for years and could still be vulnerable if you don't have the latest version of iOS? And it is no big deal that Apple knew about this basic vulnerability since the middle of last year but still doesn't publicize a basic vulnerability report besides a sentence or two recognizing the Google employee that found it? Sweeping it under the rug is not how you handle security.
     
  12. clauzzz203 macrumors regular

    Joined:
    Sep 18, 2012
    #12
    So you change your password, what the hell man... Even that is useless, if somebody got your password they would have used it by now, if they didn't you can keep it, i'll let you lose sleep over it.
     
  13. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #13
    IMO, the part above isn't a big deal because that's how Apple's always treated 99.99% of vulnerabilities. It's not like they're going out of their way to treat this one any differently.

    IIRC, there are more than a few threads on MacRumors from folks who have had their iTunes account hacked (i.e. someone got their password and charged up a bunch of stuff), despite the fact that they used a unique and complex password. Some folks had their accounts hacked MULTIPLE TIMES, even after changing their passwords.

    It's interesting to me that Apple's "answer" to that was to require that the credit card information be verified when a purchase is made for the first time on a new machine. Not that this method does anything to protect your iCloud stuff (email, etc).

    Oh well, at least there's an answer as to how these folks could have been continually hacked.
     
  14. SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #14
    If someone got hold of your password, you may not even know about it if their goal was to continually steal all your iCloud documents, read your email, and receive all your iMessages. It is not right that Apple just tried to sweep this under the rug when they should force a password reset for everyone.
     
  15. DMH3006 macrumors regular

    Joined:
    Jun 16, 2011
    #15
    Oh please most people that got their accounts hacked properly got their computer hacked, I think if you get hacked multiple times in the same account is because someone has gotten access to your device somehow.
     
  16. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #16
    Who knows.

    You'd think that if someone hacked into your computer, they'd be after something a little more lucrative than your Apple ID, right? Perhaps your banking and credit card account information?

    Then again, if people are only intercepting your information by sniffing traffic on wireless networks (work, school, airports, restaurants), they would only be able to get your Apple ID information, because unlike the App Store, the banks and credit card sites keep it 100% SSL encrypted.
     
  17. bozzykid macrumors 68020

    Joined:
    Aug 11, 2009
    #17
    Considering most people have credit card/payment information tied to their apple id, it isn't necessary to have credit card information. Like the researcher said who posted this security issue, hackers could use it to buy apps without the user's knowledge. So you just need some overpriced apps to make it happen. But the researcher didn't release the info until after Apple fixed it, so there doesn't appear to be anyone using this security hole as far as anyone knows.
     
  18. 0dev macrumors 68040

    0dev

    Joined:
    Dec 22, 2009
    Location:
    127.0.0.1
    #18
    Apple was stupid for not implementing full HTTPS for the App Store but, that said, you are also stupid if you log into sensitive accounts over unsecured WiFi connections. This is why I never use those things, I just use the data on my phone, because it's a connection I know is reasonably secure - it's a lot harder to intercept a 3G connection than it is to sniff an open WiFi network after all.
     
  19. cyks macrumors 68020

    cyks

    Joined:
    Jul 24, 2002
    Location:
    Westchester County, NY
    #19
    In many cases, access to someone's full iCloud backup is more valuable than their bank account.
     
  20. SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #20
    Average users probably don't know and shouldn't have to know these details, it should just work. An average user probably isn't going to care what connection they are connected to as long as it works. And a 3G connection isn't going to help someone with an iPod or wifi only iPad.
     
  21. 0dev macrumors 68040

    0dev

    Joined:
    Dec 22, 2009
    Location:
    127.0.0.1
    #21
    Well then average users can enjoy having their details stolen for not bothering to make sure they're being secure. The fact that such ignorance is encouraged is a problem. Why do you think people still bother phishing? Because some idiot will always fall for it because they don't think they "need to know this stuff."

    If people must use an open WiFi network they should always do it through a VPN. Simple as that really.

    Oh, and I use my iPhone's 3G connection on my Nexus 7 all the time. That personal hotspot feature is there for a reason after all.
     
  22. SomeDudeAsking, Mar 10, 2013
    Last edited: Mar 10, 2013

    SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #22
    And then you try to explain what VPN is to an average user and they stare at you with a blank face. And then you tell them that they will have to pay a monthly fee to use a VPN and that it will cause increased lag and decreased bandwidth. And then you mention that all this extra encryption causes decreased battery life. To which, they rip their phone back from your hands.

    Oh, and tethering through your phone's wifi hotspot costs extra, too. And it causes decreased battery life and you can't get high quality streaming video through 3G. And you run the risk of blowing through your data cap.

    Why even bother having SSL if you think a VPN can take care of the connection security? VPN connections have to travel through the regular Internet to reach the original host so Apple not having full encryption would still leave users vulnerable to password theft if an attacker were to intercept somewhere further down the line.
     
  23. 0dev macrumors 68040

    0dev

    Joined:
    Dec 22, 2009
    Location:
    127.0.0.1
    #23
    Easy: "A VPN is a secure tunnel which protects everything you go on from other people on the network." Boom. And I have never seen evidence of VPNs reducing speed, bandwidth, or battery life. And the price is negligible. £5 a month can get you a decent VPN, that's nothing.

    Unlimited tethering is included in my plan, although I'm in the UK and I know US phone plans are terrible compared to ours.

    VPN connections are a secure tunnel from your device to the VPN server, so no one on that WiFi network can intercept your connection. I don't know what you mean by attacks further down the line unless you think the VPN provider themselves will sniff your traffic?
     
  24. SomeDudeAsking thread starter macrumors 65816

    Joined:
    Nov 23, 2010
    #24
    Using a VPN can definitely cause noticeable lag and decreased bandwith:

    https://www.my-private-network.co.uk/knowledge-base/service-related/vpnoverhead.html

    All that encryption and decryption is not free. You have to make the processor do the extra work which results in decreased battery life.

    And if you want to tether in the US, those plans cost at least $20 extra according to the carrier guide at http://www.pcworld.com/article/261928/the_ultimate_android_tethering_guide.html

    That means, with your solution, a person would have to pay an extra $20 + $7.50 (£5) = $27.50 per month just for these workarounds. You don't have to look hard to see why your suggestion will get laughed at by most people.

    And a VPN connection is not totally secure from end to end. Your VPN connection terminates at your VPN host, they then have to send the traffic over the regular internet to reach the intended target, in this case Apple. At attacker could still sniff this portion of the link and steal your passwords. A proper SSL connection would prevent this.

    And there is another major draw back of using a VPN: Nothing on your home network will be able to connect to each other. This means that iTunes wireless sync, iTunes wireless backup, Apple TV remote app, NAS, Airplay, etc.... will not work.
     
  25. bozzykid macrumors 68020

    Joined:
    Aug 11, 2009
    #25
    If you login to an unsecure wifi hotspot (which for business travelers is sometimes a requirement), you can't help but have sensitive data sent over the network. Most of this happens in the background without the users consent. You can't blame users for that.
     

Share This Page