Forgot your password?

Apple Discloses Security Encryption Flaw in iPhone, iPad, & Macs

Apple Flaw

Apple did not have a good weekend. They just disclosed a flaw in their implementation of SSL and TLS encryption that essentially is as bad as it gets. In their disclosure they said that “the software failed to validate the authenticity of the connection.” This vulnerability is a “fundamental bug in Apple’s SSL implementation” that essentially opens up iOS encrypted email and browser communications to anyone on the same Wi-Fi network. We are talking about a full Man in the Middle attack for all of Apple’s main products.

Without the patch Apple released this weekend anyone at Starbucks could read your emails and encrypted web communication. Talk about rock solid business ready security. I am just wondering how Apple learned about the vulnerability… Either way I HIGHLY recommend you tell all your friends on iOS to upgrade ASAP. Security researchers have confirmed that the flaw also exists on OSX and a patch will probably be coming soon!

via Reuters. Thanks Maulik for the tip!

12 total comments on this postSubmit your comment!
  1. This is one of those base level fundamental’s in development that must be right from deployment, getting it wrong just shows that Apple are highly immature in their priorities or that their dev’s are grossly lacking skills or both.

    • I agree and I guess that’s what you get when you’re trying to write your own security libraries. A double “goto fail” can happen by accident (unless it was planted ;)), but what they’re missing are automated testing or certification. You can’t let something like this slip if your job is about securing people’s data.

    • Bottom line is security isn’t their primary concern. The question remains: how long had this bug been around? Why isn’t the Air Force nervous?

  2. This is wonderful news, and continues to show how un-secure iOS truly is. The same goes for Android and WP8.

    Nothing beats a BlackBerry is secure data and communications. NOTHING.

    • It’s funny how all these CIOs have been duped to thinking that iOS is as secure as BlackBerry. We know the hardware isn’t secure – iPhones and iPads can be jailbroken, and then we know there are hidden flaws such as this.

  3. It has been around since the beginning of iOS from what I hear

  4. I bet the air force is feeling pretty great about that change over now. Solid security decisions were made there.

  5. Let’s be honest here though. This could have happened to anybody. We’re talking about a mistake made in a text file, similar to the recent vulnerability discovered in BlackBerry 10 which allowed Android apps access to the work contacts.
    What these companies are missing is serious testing and code review.

    What I find scarier is that none of the companies which are supposed to protect sensitive data (think banks) have tests in place to detect if the end point they connect to is the real one, and this regardless of the platform.

    • I’m sorry, ofutur. I don’t buy that argument. Yes, things are missed from time to time, but this is a huge blunder! Secure web SSL/TLS comms have been compromised for years on iOS? How could Apple have missed that? Comparing it to the BlackBerry Android player contact flaw is cheap. It’s not even in the same league, and the BlackBerry Android Player is only 6 months old. It’s a recent feature that needs to be hardened. Apparently, this far more serious iOS flaw has been around since 2007. How many folks have had their private data compromised the last 7 years? Unacceptable!

    • I don’t totally agree with you and please correct me if I’m wrong…
      Blackberry fixed that problem in the latest 10.2.1 and they don’t have that contact problem anymore with android apps and from your previous post, Apple has had this problem for over years now since iOS 6 and was just discovered a few days ago and no patch yet.
      I feel sorry for our Air Force and our national security…

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2018’ BerryReview LLC