back to article Apple's FaceTime for Mac debuts with security holes

This article is being updated to note that, according to Apple Insider, this bug is no longer reproducible. Apple has provided no comment, and no update for the beta was released to effect the change. Apple's recently released FaceTime for Mac beta allows users to make important iTunes account changes without first entering …

COMMENTS

This topic is closed for new posts.
  1. Chas
    FAIL

    Oops!!

    Looks like Jobs will be handing out the pink slips. It's uncharacteristically stupid of Apple to let this one slip though: they've dropped the ball on a few occasions but this one's a doozy!

    And what's with no support for Leopard? - no bloody good reason to omit these users.

    Arse!

    =:~)

    1. Michael C

      half agreement

      It's a doozey, and this should be better addressed, but it is also a beta, and only an issue if someone can actually log onto your session. If you're in a public place, leave your machine without logging out, and don't have a password set for login from a screen saver (or boot), that's YOUR problem. Yes, you should not be able to change a password without a confirmation, but you should not be able to get TO this without knowing the keychain password first...

      Its a lower levekl security risk than people are playing on. yes, it should be corrected anyway, it;s just bad form, but it is not an invalid practice in itself, or a bug.

  2. Sceptic

    Hello its a beta....

    So why else would Apple release a beta version than to expose flaws. Apart from sensationalising these in the press have they actually been fed back to Apple??

  3. Anonymous Coward
    Thumb Down

    Oh for heavens sake!!!

    It's a beta release, i.e. it isn't actually finished yet!!

    1. Bear Features
      Megaphone

      try again

      A beta is released to get feedback on bugs and such, not really the type of thing that is used to let the world know you goofed on a basic. ;o)

  4. JoeBreg
    WTF?

    Interesting...

    If someone has physical or virtual (VNC) access to your mac then I presume that your itunes account would be the least of your worries.

    This is a huge non-problem. Either the attacker has to use malware to plant remote login software or someone has to have physical access to your mac. Unless the first method of attack (malware) has been proven and is currently wild then the only people who can take advantage of this 'security hole' are those around you everyday.

    If someone has physical access to your mac then the likelihood is that you'll have auto-fill/autologin enabled on loads of sites and therefore they'd be able to reset your account anyway.

    Basically this is a bug not a security lapse - just as it would be if it occurred on any other platform.

  5. Trib
    Unhappy

    So what, its availabe

    Don't care if it beta or not. That is use at your own risk. Issue here is that you can use the software to change/hijack someone else iTunes account.

    1. Michael C

      nah

      If you leave your machine win a public place without locking the screen and requiring a password, you have already failed WAY more than Apple here.

      yea, bad form, they should request the current key chain master password before allowing any other password changes, however, that's a "best practice" issue, not an actual security risk since it;s not possible to happen without a bigger security issue to start with. They have to get logged onto your machine to access this feature. If they can already do that, you have already lost. This is a small issue.

      There has never been a single successful machine hack that allowed remote control of a Mac ITW ever. PWN2OWN has only been done using custom made web sites, and to get this control required he be at the machine when it happened, it can not be done by a bot or virus, and you have to fall for the phishing scam first...

      1. Anonymous Coward
        Anonymous Coward

        keep drinking the coolaid

        Wow I want to live in your make-believe land, shame entry to the cult is so pricey..

  6. Anonymous Coward
    Anonymous Coward

    Sure its a beta, but its also...

    Sure its a beta, but its also a security cracker for iTunes

    1. Michael C

      sort of

      ...but only if they have already cracked your stronger security (got logged in as you on your machine).

      Yes apple should change this. Changes to ANY passwords of local applications, especially those already tied into KeyChain, should prompt for the keychain password. However, this is a best practice, not really a security violation. They'll fix it because people went nuts, but the people don;t understand they've already lost if a hacker or thief is already at this screen...

  7. This post has been deleted by its author

  8. Neil Paterson
    FAIL

    @Sceptic, Bear Features et al.

    Yes, but this is His Holiness we're talking about - Everything that comes from Cupertino is Godly perfection in code form, surely?

    Apple don't *do* betas to test, debug and improve. They are there as marketing tools to be used by the early-adopting true Disciples.

  9. Dave 120

    Welcome to the last decade

    Sorry, are you actually getting excited over what is essentially a videocall app, like the ones webcam users have had for years?

  10. Tempest
    FAIL

    Why all the haste?Apple should have spent more time ...

    testing - they are getting sloppy what with all their other recent glaring software failures. These are basic things that should have been caught way before any release.

  11. Anonymous Coward
    Anonymous Coward

    Just an update on how it's been "fixed"

    Apple's blocked Facetime's ability to log into the iTunes servers to change your account details.

    Effective? Yes.

    Elegant? Not in the slightest.

  12. Anonymous Coward
    Boffin

    Security

    If you leave your machine on and leave it running and someone takes control of your machine then your iTunes account being compromised is the least of your worries.

    They could open a terminal and "rm - r" some important system files!

    1. Anonymous Coward
      FAIL

      Oh noes, insufficient privileges!

      Unless, of course, you've gone to the trouble of enabling the root user and then running as that root user...

This topic is closed for new posts.