Forgot your password?
typodupeerror
IOS Security Apple Your Rights Online

Apple Finally Fixes Unencrypted App Store Login 52

Posted by Unknown Lamer
from the stealing-your-fart-apps dept.
Deekin_Scalesinger writes "More than eighteen months after being first brought to Cupertino's attention, Apple gets around to addressing insecure logins to the App Store. In theory, this could be used to view lists of installed apps and make unauthorized purchases." Yep, they were sending login information over plain http.
This discussion has been archived. No new comments can be posted.

Apple Finally Fixes Unencrypted App Store Login

Comments Filter:
  • by dreamchaser (49529) on Saturday March 09, 2013 @05:21PM (#43127565) Homepage Journal

    Apple's official statement: "We used plain http because it 'Just Works'."

    • by Anonymous Coward

      Funny but, maybe this illustrates just how overblown this vector is.

      I mean, it's one of the largest targets on planet earth, with billions of dollars transacted there.

      • I don't know about where you spend your money on the web, but I certainly don't do business with any site that doesn't use SSL at the very least. Exactly where are these 'billons of dollars' being transacted over plain http?

      • "Overblown"...? Ok, take off that mac genius shirt right now...
  • Oh boy! (Score:5, Insightful)

    by Fuzzums (250400) on Saturday March 09, 2013 @05:28PM (#43127593) Homepage

    /. redirects me from https back to http.
    So what about that?

  • by Anonymous Coward

    Not a bug

  • Typical haters (Score:5, Insightful)

    by etresoft (698962) on Saturday March 09, 2013 @05:39PM (#43127663)

    Yep, they were sending login information over plain http.

    The author of the original article was very careful with what he did and didn't say. He didn't say that Apple sent login information over plain http. And if you read the support document [apple.com] where Elie Bursztein gets his 15 seconds of Apple fame, you will see that Apple says the update now encrypts "active content". In short, login information was never sent over plain text.

  • WRONG SUMMARY (Score:5, Informative)

    by Anonymous Coward on Saturday March 09, 2013 @05:48PM (#43127701)

    Login information has always been sent over HTTPS.

    However, the app store traffic was not entirely encrypted. This meant that a sophisticated MITM attack could, say, inject a fake login prompt that would capture a user's password.

    Bad, too be sure, but nowhere near as bad as TFS makes it seem.

  • Nice summary (Score:5, Informative)

    by pushing-robot (1037830) on Saturday March 09, 2013 @05:53PM (#43127737)

    Yep, they were sending login information over plain http.

    Uh, no they weren't. [elie.im]

    They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.

    But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.

    It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.

    • by Anonymous Coward on Saturday March 09, 2013 @06:19PM (#43127855)

      Yep, they were sending login information over plain http.

      Uh, no they weren't. [elie.im]

      They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.

      But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.

      It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.

      Stop ruining our Apple bashing session with 'facts'.

    • by swillden (191260)

      If only more sites would stop including unsecure content on "secure" pages.

      Even better, just go HTTPS for everything.

    • by alen (225700)

      Since every app has to be signed by apple's key, how would a hacker get their software on your phone?

      Only thing I can think of is create a jailbreak and try to deploy it via an App Store GUI

      • Re:Nice summary (Score:5, Insightful)

        by tlambert (566799) on Sunday March 10, 2013 @12:17AM (#43129077)

        Since every app has to be signed by apple's key, how would a hacker get their software on your phone?

        Only thing I can think of is create a jailbreak and try to deploy it via an App Store GUI

        Look, I'm an Apple fan, being a former employee, but that is honestly a naive question, at best.

        The point attack vector on you is not tor trojan your iDevice, it is to hijack your account credentials. There are a lot of things you can do with hijacked App Store/iTunes credentials:

        (1) Buy a lot of stuff from the store on your credit card associated with the account. Who cares if it's ever installed anywhere, it costs you money and Apple reputation

        (2) Astroturf an application to raise its ratings in the store by posting reviews.

        (3) Inflate sales numbers for an App; this is similar to astroturfing as well, but along a different axis.

        (4) Obtain a portion of your credit card number to obtain credentials elsewhere you have accounts; Apple verifies with accounts wih the credit card number, but uses the very public part of the credit card number, which is why account hijack attacks occur

        (5) Deauthorize all your devices

        (6) Authorize an additional device; if your slots aren't all full, you aren't going to notice this, and in combination with #1, this will allow them to utilize your account to obtain content for the device

        (7) Track the location of your device (and by inference, you), and plan an attack on you, rob your house while you are too far away to get back in time, or just notice that your Mac Latop and your iPhone are in different locations, the iPhone is moving, and then, hey, free laptop

        (8) Remote wipe your device(s)

        (9) Use "Back To My Mac to remotely access your laptop/desktop system

        (10) Authorize and iSync another device, and obtain access to all your personally created content, like your address book contents, business contacts, and in the case of them installing all the Apps you have installed on your device on a similar device, obtain all the personal information in those apps as well from the iSync'ed device

        (11) Access your keychain contents using #10, and if one of your devices is a laptop/desktop/in-some-cases-ipad, log in to al the accounts you have elsewhere (including maybe HRBlock.com?) that Safari kindly offered to "Remember my password for this site?" for you

        (12) Remote access your camera, if you happen to have an App that can do that.

        There. A dozen reasons why it's a bad thing, and that's without breaking a sweat, or pulling in indirect attacks, like the fact that a lot of foolish people tend to use the same login and password everywhere, and once they have it for yourApp store account, they probably have it for other accounts as well.

  • by Anonymous Coward

    Yep, they were sending login information over plain http.

    Nope, they were not sending login information over plain http, but their store did some information in the clear.

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken

Working...