Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Apple Finally Fixes Unencrypted App Store Login

Unknown Lamer posted about a year and a half ago | from the stealing-your-fart-apps dept.

IOS 52

Deekin_Scalesinger writes "More than eighteen months after being first brought to Cupertino's attention, Apple gets around to addressing insecure logins to the App Store. In theory, this could be used to view lists of installed apps and make unauthorized purchases." Yep, they were sending login information over plain http.

Sorry! There are no comments related to the filter you selected.

rot13(rot13(password)) (0)

Anonymous Coward | about a year and a half ago | (#43127545)

Only the average CS student would believe it was unencrypted...

Re:rot13(rot13(password)) (2)

MachDelta (704883) | about a year and a half ago | (#43127715)

Would the good ones use rot26(password);
?

easier to do it right the first time. (1)

noh8rz10 (2716597) | about a year and a half ago | (#43127959)

i'm glad they're fixing it, and i'm glad they took the time to do it right. look at oracle how they're always scrambling to shove out security fixes, without taking time to think broader - maybe there's a larger structural problem that needs a holistic solution?

as my father said, if you can't afford to do it right, how will you afford to do it twice?

Re:easier to do it right the first time. (4, Insightful)

santax (1541065) | about a year and a half ago | (#43128225)

"For the past nine months—and possibly for years—Apple has unnecessarily left many of its iOS customers open to attack because engineers failed to implement standard technology that encrypts all traffic traveling between handsets and the company's App Store." Yeah, they took time... a lot of time.

Re:easier to do it right the first time. (5, Informative)

Somebody Is Using My (985418) | about a year and a half ago | (#43128249)

i'm glad they're fixing it, and i'm glad they took the time to do it right.

How do you know they "did it right" this time?

Are you merely assuming that it was coded correctly because it took them so long to issue the fix or have you seen the code? Or do you simply have that much faith in Apple (the very company that thought it was a good idea to send the information over plain HTTP in the first place)?

In fact, if you read the article, "SSL Labs, a report card system from security firm Qualys that rates the quality of websites' HTTPS protections, gives Apple's App Store a failing grade" despite the update.

Re:easier to do it right the first time. (1)

gnasher719 (869701) | about a year and a half ago | (#43128337)

In fact, if you read the article, "SSL Labs, a report card system from security firm Qualys that rates the quality of websites' HTTPS protections, gives Apple's App Store a failing grade" despite the update.

And what exactly does that mean?

Re:easier to do it right the first time. (4, Informative)

dave420 (699308) | about a year and a half ago | (#43128365)

One can find the answer [ssllabs.com] in seconds.

Re:easier to do it right the first time. (1)

noh8rz10 (2716597) | about a year and a half ago | (#43129467)

Are you merely assuming that it was coded correctly because it took them so long to issue the fix or have you seen the code?

not only have i seen the code, but i wrote most of it!

Re:easier to do it right the first time. (0)

Anonymous Coward | about a year and a half ago | (#43134623)

Bam!! That was good. You sure slapped "Somebody is using My" in his face.

Re:easier to do it right the first time. (1)

garry_g (106621) | about a year and a half ago | (#43132297)

i'm glad they're fixing it, and i'm glad they took the time to do it right.

... and it took so long because before Apple, nobody had thought up a way to encrypt data on transmission between a server and a client. So they had to research, and write something that would work. Maybe they might even come up with a patent application ... let's think, what may they call it - maybe something like "secure http"?

Frist Ps0t! (-1)

Anonymous Coward | about a year and a half ago | (#43127551)

Mah Niggazzzz!

Never a hurry unless... (-1)

Nyder (754090) | about a year and a half ago | (#43127561)

... it cost the company money.

A: Because it disrupts the flow of a message (5, Funny)

DNS-and-BIND (461968) | about a year and a half ago | (#43127575)

Q: Why is starting a comment in the Subject: line incredibly irritating for everyone at Slashdot?

This is exactly what my ass (5, Funny)

Sir or Madman (2818071) | about a year and a half ago | (#43127589)

ociate once told me.

Further evidence... (3, Funny)

Anonymous Coward | about a year and a half ago | (#43127639)

...that no-one doing anything relevant would choose Apple.

This also explains why Apple has become very popular over the last decade.

Re:Further evidence... (0)

Anonymous Coward | about a year and a half ago | (#43127893)

Would mod up if I could.

Apple's reason for this (5, Funny)

dreamchaser (49529) | about a year and a half ago | (#43127565)

Apple's official statement: "We used plain http because it 'Just Works'."

Re:Apple's reason for this (1)

Anonymous Coward | about a year and a half ago | (#43127703)

Funny but, maybe this illustrates just how overblown this vector is.

I mean, it's one of the largest targets on planet earth, with billions of dollars transacted there.

Re:Apple's reason for this (1)

dreamchaser (49529) | about a year and a half ago | (#43128211)

I don't know about where you spend your money on the web, but I certainly don't do business with any site that doesn't use SSL at the very least. Exactly where are these 'billons of dollars' being transacted over plain http?

Re:Apple's reason for this (0)

Anonymous Coward | about a year and a half ago | (#43128289)

Transitively through the snooped logins of app store users.

We are not the majority of users. Many people don't bother to look for the little lock icon in the browser bar. Many don't really know or care what it means.

Or are you being intentionally ignorant of the real world?

Re:Apple's reason for this (1)

DJ Particle (1442247) | about a year and a half ago | (#43131791)

I look for the icon, but on the other hand, if you're logging in via iTunes or via your iDevice, there is no icon to look for :(

Re:Apple's reason for this (0)

Anonymous Coward | about a year and a half ago | (#43128297)

SSL only secures the network traffic. It does not ensure that the other end is who you think they are. Nor does in ensure that the other end is honest, or competent for that matter. All it ensures is that the other end has a valid certificate for the domain.

You can SSL encrypt all you want to the server at badguy.com, it's not going to prevent the bad guy from grabbing your CC info. Or you can SSL encrypt all your traffic to sony.com, and nothing will prevent Anonymous from grabbing your CC info.

Even if you only ever shop at apple.com, all an attacker needs to do is get a valid certificate. There are hundreds of places selling these, some of which are incompetent, and others being in countries that you wouldn't trust in real life. But your browser will trust the certificate for you.

In conclusion, all you're doing by not doing business with a site that doesn't do SSL, is supporting the certificate "tax".

Re:Apple's reason for this (1)

cyberchondriac (456626) | about a year and a half ago | (#43131575)

SSL only secures the network traffic. It does not ensure that the other end is who you think they are. Nor does in ensure that the other end is honest, or competent for that matter. All it ensures is that the other end has a valid certificate for the domain.

Wait.. what?.. an important element of having a "valid" SSL Certificate is that it's signed by a third party trusted authority (such as Thawte or Verisign) who vouches for the authenticity of the Certificate. So, ideally, SSL does ensure the other end is who they say they are. In theory, anyway.
Granted, it can't vouch for the honesty of said company or any of it's employees. But then again, neither can anything else. I think it's funny my MIL refuses to buy online, she'll call the company instead and read her credit card info over the phone. How does she know the sales person isn't just copying all that info for themselves and/or selling it on the black market? At some point, you just have to put some trust in the system, or don't do business with credit cards at all.

Re:Apple's reason for this (1)

interval1066 (668936) | about a year and a half ago | (#43128401)

"Overblown"...? Ok, take off that mac genius shirt right now...

Oh boy! (4, Insightful)

Fuzzums (250400) | about a year and a half ago | (#43127593)

/. redirects me from https back to http.
So what about that?

Re:Oh boy! (3, Insightful)

Nemyst (1383049) | about a year and a half ago | (#43127599)

Slashdot doesn't have direct access to your credit card.

Re:Oh boy! (1)

Anonymous Coward | about a year and a half ago | (#43127815)

Slashdot doesn't have direct access to your credit card.

It still constitutes the pot calling the kettle black.

Re:Oh boy! (0)

Anonymous Coward | about a year and a half ago | (#43127951)

No, it doesn't. It is two entirely different contexts.

I can harangue my kid's elementary school for using a low quality lock while I am using an inferior lock on my kid's bedroom door.

Re:Oh boy! (1)

dreamchaser (49529) | about a year and a half ago | (#43128219)

Bullshit, and you're troll-fu is very weak. You aren't buying stuff on /.

Re:Oh boy! (1)

DrVxD (184537) | about a year and a half ago | (#43132461)

I buy that argument. Oh, wait...

Re:Oh boy! (1)

Fuzzums (250400) | about a year and a half ago | (#43140867)

True. But it is still a good practice to authenticate using ssl.

Re:Oh boy! (2)

lesincompetent (2836253) | about a year and a half ago | (#43128535)

Oh come on... you can't ask them too much. Slashdot is not even accessible on IPv6 yet. Shame on you /. Shame on you.

Re:Oh boy! (1)

Kalriath (849904) | about a year and a half ago | (#43133891)

It stays on HTTPS if you're a subscriber. It redirects users who cost them money back to HTTP so they don't have to spend so many CPU cycles.

It's a feature (1)

Anonymous Coward | about a year and a half ago | (#43127655)

Not a bug

Typical haters (5, Insightful)

etresoft (698962) | about a year and a half ago | (#43127663)

Yep, they were sending login information over plain http.

The author of the original article was very careful with what he did and didn't say. He didn't say that Apple sent login information over plain http. And if you read the support document [apple.com] where Elie Bursztein gets his 15 seconds of Apple fame, you will see that Apple says the update now encrypts "active content". In short, login information was never sent over plain text.

Re:Typical haters (0)

Anonymous Coward | about a year and a half ago | (#43129671)

"active content" is a vague buzzword that often includes session cookies which contain said login credentials.

Typical apologist.

Re:Typical haters (2)

PenguSven (988769) | about a year and a half ago | (#43129975)

Session cookies should contain a Session identifier, not login credentials.

Slashdot only posts negative Apple & MS storie (0, Redundant)

Anonymous Coward | about a year and a half ago | (#43127689)

... and only positive Google stories. I can't remember last time I saw a positive Apple or negative Google story on here. Slashdot didn't even cover the recent story about Google divulging personal information about everyone who buys anything from Google Play.

And then people wonder why this site has been sold so many times and why the site is losing users left & right (and losing staff).

It's all about credibility. And /. has lost most of it. Sad what the site has become.

Re:Slashdot only posts negative Apple & MS sto (0, Offtopic)

Anonymous Coward | about a year and a half ago | (#43127769)

Just a couple days ago, Slashdot posted a negative story about Google cutting more jobs at Motorola. No, wait, that was actually a good thing because they're removing dead weight so they can concentrate on suing Apple and Microsoft over FRAND patents.

WRONG SUMMARY (5, Informative)

Anonymous Coward | about a year and a half ago | (#43127701)

Login information has always been sent over HTTPS.

However, the app store traffic was not entirely encrypted. This meant that a sophisticated MITM attack could, say, inject a fake login prompt that would capture a user's password.

Bad, too be sure, but nowhere near as bad as TFS makes it seem.

Nice summary (5, Informative)

pushing-robot (1037830) | about a year and a half ago | (#43127737)

Yep, they were sending login information over plain http.

Uh, no they weren't. [elie.im]

They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.

But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.

It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.

Re:Nice summary (5, Funny)

Anonymous Coward | about a year and a half ago | (#43127855)

Yep, they were sending login information over plain http.

Uh, no they weren't. [elie.im]

They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.

But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.

It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.

Stop ruining our Apple bashing session with 'facts'.

Re:Nice summary (0)

Anonymous Coward | about a year and a half ago | (#43128151)

So, that's what Internet Explorer has been warning me about for almost a decade now.

Re:Nice summary (1)

swillden (191260) | about a year and a half ago | (#43128201)

If only more sites would stop including unsecure content on "secure" pages.

Even better, just go HTTPS for everything.

Re:Nice summary (0)

Anonymous Coward | about a year and a half ago | (#43128259)

Unpossible while many browsers don't support SNI.

Re:Nice summary (1)

alen (225700) | about a year and a half ago | (#43128277)

Since every app has to be signed by apple's key, how would a hacker get their software on your phone?

Only thing I can think of is create a jailbreak and try to deploy it via an App Store GUI

Re:Nice summary (5, Insightful)

tlambert (566799) | about a year and a half ago | (#43129077)

Since every app has to be signed by apple's key, how would a hacker get their software on your phone?

Only thing I can think of is create a jailbreak and try to deploy it via an App Store GUI

Look, I'm an Apple fan, being a former employee, but that is honestly a naive question, at best.

The point attack vector on you is not tor trojan your iDevice, it is to hijack your account credentials. There are a lot of things you can do with hijacked App Store/iTunes credentials:

(1) Buy a lot of stuff from the store on your credit card associated with the account. Who cares if it's ever installed anywhere, it costs you money and Apple reputation

(2) Astroturf an application to raise its ratings in the store by posting reviews.

(3) Inflate sales numbers for an App; this is similar to astroturfing as well, but along a different axis.

(4) Obtain a portion of your credit card number to obtain credentials elsewhere you have accounts; Apple verifies with accounts wih the credit card number, but uses the very public part of the credit card number, which is why account hijack attacks occur

(5) Deauthorize all your devices

(6) Authorize an additional device; if your slots aren't all full, you aren't going to notice this, and in combination with #1, this will allow them to utilize your account to obtain content for the device

(7) Track the location of your device (and by inference, you), and plan an attack on you, rob your house while you are too far away to get back in time, or just notice that your Mac Latop and your iPhone are in different locations, the iPhone is moving, and then, hey, free laptop

(8) Remote wipe your device(s)

(9) Use "Back To My Mac to remotely access your laptop/desktop system

(10) Authorize and iSync another device, and obtain access to all your personally created content, like your address book contents, business contacts, and in the case of them installing all the Apps you have installed on your device on a similar device, obtain all the personal information in those apps as well from the iSync'ed device

(11) Access your keychain contents using #10, and if one of your devices is a laptop/desktop/in-some-cases-ipad, log in to al the accounts you have elsewhere (including maybe HRBlock.com?) that Safari kindly offered to "Remember my password for this site?" for you

(12) Remote access your camera, if you happen to have an App that can do that.

There. A dozen reasons why it's a bad thing, and that's without breaking a sweat, or pulling in indirect attacks, like the fact that a lot of foolish people tend to use the same login and password everywhere, and once they have it for yourApp store account, they probably have it for other accounts as well.

Re:Nice summary (0)

Anonymous Coward | about a year and a half ago | (#43254173)

Yeah, but apart from those 12 things, what could they really do with this information?

People still use ituens? (0)

TheRealDevTrash (2849653) | about a year and a half ago | (#43129199)

Huh.

Nope, they weren't (1)

Anonymous Coward | about a year and a half ago | (#43129247)

Yep, they were sending login information over plain http.

Nope, they were not sending login information over plain http, but their store did some information in the clear.

HTTPS (0)

Anonymous Coward | about a year and a half ago | (#43130429)

https. There's an App for that.

So, iOS update? (1)

sabbede (2678435) | about a year and a half ago | (#43136357)

This seems like the sort of thing that will be fixed with the next update to iOS. Of course if you, like me, are using an older device like my first gen iPad, then there will be no update because apparently we are not worth supporting anymore. I really hate Apple sometimes. Actually, a lot of times. Does anyone know what security fixes have been implemented since 5.1.1? (That being the last version of the OS available for the iPad 1)
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?