Apple Finally Fixes Unencrypted App Store Login 52
Deekin_Scalesinger writes "More than eighteen months after being first brought to Cupertino's attention, Apple gets around to addressing insecure logins to the App Store. In theory, this could be used to view lists of installed apps and make unauthorized purchases."
Yep, they were sending login information over plain http.
WRONG SUMMARY (Score:5, Informative)
Login information has always been sent over HTTPS.
However, the app store traffic was not entirely encrypted. This meant that a sophisticated MITM attack could, say, inject a fake login prompt that would capture a user's password.
Bad, too be sure, but nowhere near as bad as TFS makes it seem.
Nice summary (Score:5, Informative)
Yep, they were sending login information over plain http.
Uh, no they weren't. [elie.im]
They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.
But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.
It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.
Re:easier to do it right the first time. (Score:5, Informative)
i'm glad they're fixing it, and i'm glad they took the time to do it right.
How do you know they "did it right" this time?
Are you merely assuming that it was coded correctly because it took them so long to issue the fix or have you seen the code? Or do you simply have that much faith in Apple (the very company that thought it was a good idea to send the information over plain HTTP in the first place)?
In fact, if you read the article, "SSL Labs, a report card system from security firm Qualys that rates the quality of websites' HTTPS protections, gives Apple's App Store a failing grade" despite the update.
Re:easier to do it right the first time. (Score:5, Informative)