Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
IOS Security Apple Your Rights Online

Apple Finally Fixes Unencrypted App Store Login 52

Posted by Unknown Lamer from the stealing-your-fart-apps dept.
Deekin_Scalesinger writes "More than eighteen months after being first brought to Cupertino's attention, Apple gets around to addressing insecure logins to the App Store. In theory, this could be used to view lists of installed apps and make unauthorized purchases." Yep, they were sending login information over plain http.
This discussion has been archived. No new comments can be posted.

Apple Finally Fixes Unencrypted App Store Login More

Apple Finally Fixes Unencrypted App Store Login

Comments Filter:

  • WRONG SUMMARY (Score:5, Informative)

    by Anonymous Coward on Saturday March 09, 2013 @05:48PM (#43127701)

    Login information has always been sent over HTTPS.

    However, the app store traffic was not entirely encrypted. This meant that a sophisticated MITM attack could, say, inject a fake login prompt that would capture a user's password.

    Bad, too be sure, but nowhere near as bad as TFS makes it seem.

  • Nice summary (Score:5, Informative)

    by pushing-robot ( 1037830 ) on Saturday March 09, 2013 @05:53PM (#43127737)

    Yep, they were sending login information over plain http.

    Uh, no they weren't. [elie.im]

    They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.

    But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.

    It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.

  • Re:easier to do it right the first time. (Score:5, Informative)

    by Somebody Is Using My ( 985418 ) on Saturday March 09, 2013 @08:02PM (#43128249) Homepage

    i'm glad they're fixing it, and i'm glad they took the time to do it right.

    How do you know they "did it right" this time?

    Are you merely assuming that it was coded correctly because it took them so long to issue the fix or have you seen the code? Or do you simply have that much faith in Apple (the very company that thought it was a good idea to send the information over plain HTTP in the first place)?

    In fact, if you read the article, "SSL Labs, a report card system from security firm Qualys that rates the quality of websites' HTTPS protections, gives Apple's App Store a failing grade" despite the update.

  • Re:easier to do it right the first time. (Score:5, Informative)

    by dave420 ( 699308 ) on Saturday March 09, 2013 @08:36PM (#43128365)
    One can find the answer [ssllabs.com] in seconds.

Slashdot Top Deals

All seems condemned in the long run to approximate a state akin to Gaussian noise. -- James Martin

Close