x
advertisement
Filtered By: Scitech
SciTech

iTunes Store vulnerability disclosed, fixed


Now it can be told: Apple's iTunes Store had a vulnerability that accepted incorrect passwords from America Online (AOL) users, that could have been exploited by hackers. Security researcher Joshua Long said he discovered the vulnerability more than six months ago but kept silent until Apple could fix the flaw. "Apple recently worked with AOL to fix a vulnerability that I discovered in the iTunes Store authentication process ... This vulnerability seemed to be a problem in the way Apple integrated AOL usernames and passwords into its services," he said in his blog. Before the vulnerability was fixed, he said Apple would accept incorrect passwords from users logging into the store using an AOL Screen Name. Incomplete passwords, passwords with incorrect letter case, passwords with incorrect or extra characters at the end, or a combination of any or all of these, were accepted by Apple. "Knowledge of this vulnerability could potentially have been used by attackers, leading to disclosure of personally identifiable information, identity theft, and fraudulent purchases," he said. Long said the vulnerability took the whole six-month disclosure time limit to be announced. He said Apple was at first unresponsive to the problem and then when it did respond, it was initially unable to reproduce it. "When I discovered this security vulnerability last year, I felt that it was serious enough to warrant submitting it to a responsible third-party vulnerability management organization rather than only to Apple or AOL. I have submitted reports to both companies in the past, and I have found that sometimes it can take them a very long time to respond to a security issue," Long said. He noted that up to now, AOL "still doesn't seem to care about encrypting its Web-based e-mail service, in spite of Firesheep shining a spotlight on the problem last year." "I hoped that bringing in a third party to work with the vendor would help encourage the vendor to take the issue seriously and fix it more quickly," he said. He eventually asked upSploit to help inform the affected parties about the vulnerability and the date on which it will be disclosed to the public. "I believe that upSploit's persistence was a major factor in motivating the vendor to take action and to resolve the issue," he said. — LBG, GMA News

Tags: itunes, appleitunesstore
Most Popular