Apple Finally Fixes Unencrypted App Store Login 52
Deekin_Scalesinger writes "More than eighteen months after being first brought to Cupertino's attention, Apple gets around to addressing insecure logins to the App Store. In theory, this could be used to view lists of installed apps and make unauthorized purchases."
Yep, they were sending login information over plain http.
Apple's reason for this (Score:5, Funny)
Apple's official statement: "We used plain http because it 'Just Works'."
A: Because it disrupts the flow of a message (Score:5, Funny)
This is exactly what my ass (Score:5, Funny)
ociate once told me.
Further evidence... (Score:3, Funny)
...that no-one doing anything relevant would choose Apple.
This also explains why Apple has become very popular over the last decade.
Re:Nice summary (Score:5, Funny)
Yep, they were sending login information over plain http.
Uh, no they weren't. [elie.im]
They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.
But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.
It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.
Stop ruining our Apple bashing session with 'facts'.