Gotofail SSL Bug Also Affects Mac Apps Like Mail And FaceTime

Yesterday we told you about the worrisome SSL bug that affected both iOS and Mac. Of course Apple has already patched the bug, nicknamed Gotofail, on iOS but on the Mac the bug is still prevalent when using Safari. At first it was thought this bug only applied when users were browsing the net through Safari, but now it has been discovered the situation is much worse.

Private security researcher, Ashkan Soltani has found that the bug also affects other Mac applications such as Mail, FaceTime, Messages, Calendar etc., and not just Apple’s Safari browser. According to Forbes:

On Sunday, privacy researcher Ashkan Soltani posted a list of OSX applications on Twitter that he says he’s determined use Apple’s “secure transport” framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL. The full list, which isn’t comprehensive given that Soltani only analyzed the programs on his own PC [..]

[..] The bug affects how Apple devices authenticate their secure connection with servers, allowing an eavedropper to fake that verification and hijack or corrupt traffic using what’s known as a “man-in-the-middle” attack. ”All these apps would be vulnerable to the same man-in-the-middle vulnerability outlined on Friday,” Soltani says.

It is worth noting that there is an extra layer of security in place for these applications, which may reduce the effects of the security vulnerability, but certain parts of the protocol like the initial handshake that rely on TLS could still be vulnerable to man-in-the-middle attacks. Furthermore, Apple’s update mechanism could also be vulnerable to spoofing.

screenshot-gotofail

Red underlines show the vulnerable applications.

The vulnerability is a result of a silly error which some have even said was intentionally introduced by Apple, to give the NSA a way to tap into the data going through secure networks. So just what was this error? Well it emerged from the portion of the code that verified the authenticity of the server was never reached. Essentially someone on the same Wi-Fi network as you could intercept data and alter it / steal your sensitive information.

Right now your only protection from this vulnerability is to only connect to networks you trust, not public networks.

Gotofail SSL Bug Also Affects Mac Apps Like Mail, Messages And FaceTime

Untethered iOS 12 Jailbreak Demoed by Ali Security

iOS 12 Now Available for Download: Compatible Devices

iPhone X Discontinued, iPhone 8 and iPhone 7 Prices Slashed

Apple iPhone Xs, iPhone Xs Max, and iPhone Xr Announced

Apple Watch Series 4 Announced With Larger Display, Louder Speaker, and More

How To: Make iTunes 11 More Like iTunes 10.7, By Bringing Back The Sidebar And Status Bar

Learn How To Better Organize Cydia To Display Only Useful Packages Like Tweaks And Utilities

How To: Jailbreak A4 iPhone, iPod Touch, iPad, Apple TV 2G Untethered On iOS 5.1.1 With PwnageTool 5.1.1

How To: Backup Your Instagram Photos And Then Delete Your Account

How To: Remove Unnecessary Files To Gain 1GB Storage Space, Increase Battery Life On iPhone, iPod Touch, iPad [Part One]

Leave a Reply