Apple’s ‘Gotofail’ SSL bug also affects Mail, Messages, FaceTime and other Mac apps

BY Gautam Prabhu

Published 24 Feb 2014

Over the weekend, Apple acknowledged that the serious SSL bug fixed in iOS 6.1.6 and iOS 7.0,6, also exists in OS X, and has promised to release a software fix as soon as possible.

However, the situation seems to be a lot worse as private security researcher, Ashkan Soltani has found that the bug also affects other Mac applications such as Mail, FaceTime, Messages, Calendar etc., and not just Apple’s Safari browser.

Forbes reports:

On Sunday, privacy researcher Ashkan Soltani posted a list of  OSX applications on Twitter that he says he’s determined use Apple’s “secure transport” framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL. The full list, which isn’t comprehensive given that Soltani only analyzed the programs on his own PC [..]

[..] The bug affects how Apple devices authenticate their secure connection with servers, allowing an eavedropper to fake that verification and hijack or corrupt traffic using what’s known as a “man-in-the-middle” attack. ”All these apps would be vulnerable to the same man-in-the-middle vulnerability outlined on Friday,” Soltani says.

screenshot-gotofail

Security Researcher Ashkan Soltani has underlines the vulnerable applications in the screenshot above

Forbes points out that due to the extra layer of security in apps such as Messages and Facetime, the effects of the security vulnerability may be reduced, however certain parts of the protocol  like the initial ‘handshake’ that rely on TLS could still be vulnerable to man-in-the-middle attacks.

The bug could also compromise Apple’s mechanism for pushing new updates to Macs. While the Software Update feature checks for Apple’s signature before installing any update, it hasn’t stopped malwares from spoofing those updates and installing spying tools on Macs in the past.

The bug dubbed “gotofail” by the security community seems to have been due to a silly error where the portion of the code that verified the authenticity of the server was never reached. This meant that someone, who is on the same Wi-Fi network as you were, could intercept data being passed through secure channels to Gmail, Facebook etc., and potentially alter it. The consequences of this flaw are quite serious since banking sites, payment gateways depend upon SSL/TLS connections to prevent spoofing, and stealing of credentials.

There are conspiracy theories floating around about the bug being intentionally introduced by Apple, to give the NSA a way to tap into the data going through secure networks. The bug has been in the wild since more than a year, and even if it was a genuine mistake, there’s a high chance that it was already exploited by the NSA or malicious hackers to steal private data.

Now, with the bug being public, the risk is more than ever. Some of the precautions you can take:

  • Connect only to trusted Wi-Fi networks. Do not connect to public Wi-Fi in cafes, conferences etc.
  • Try to use Firefox or Chrome until the OS X fix is pushed out. The two browsers don’t use Apple’s library, so they’re safe.
  • iOS 7.1 beta is still vulnerable, so you might want to switch back to the stable channel until a new beta is available.

We’ll keep you updated about this issue, and let you know as soon as the fix is available.

[via Forbes]