This article is being updated to note that, according to Apple Insider, this bug is no longer reproducible. Apple has provided no comment, and no update for the beta was released to effect the change. Apple's recently released FaceTime for Mac beta allows users to make important iTunes account changes without first entering …
Looks like Jobs will be handing out the pink slips. It's uncharacteristically stupid of Apple to let this one slip though: they've dropped the ball on a few occasions but this one's a doozy!
And what's with no support for Leopard? - no bloody good reason to omit these users.
It's a doozey, and this should be better addressed, but it is also a beta, and only an issue if someone can actually log onto your session. If you're in a public place, leave your machine without logging out, and don't have a password set for login from a screen saver (or boot), that's YOUR problem. Yes, you should not be able to change a password without a confirmation, but you should not be able to get TO this without knowing the keychain password first...
Its a lower levekl security risk than people are playing on. yes, it should be corrected anyway, it;s just bad form, but it is not an invalid practice in itself, or a bug.
Hello its a beta....
So why else would Apple release a beta version than to expose flaws. Apart from sensationalising these in the press have they actually been fed back to Apple??
Oh for heavens sake!!!
It's a beta release, i.e. it isn't actually finished yet!!
A beta is released to get feedback on bugs and such, not really the type of thing that is used to let the world know you goofed on a basic. ;o)
If someone has physical or virtual (VNC) access to your mac then I presume that your itunes account would be the least of your worries.
This is a huge non-problem. Either the attacker has to use malware to plant remote login software or someone has to have physical access to your mac. Unless the first method of attack (malware) has been proven and is currently wild then the only people who can take advantage of this 'security hole' are those around you everyday.
If someone has physical access to your mac then the likelihood is that you'll have auto-fill/autologin enabled on loads of sites and therefore they'd be able to reset your account anyway.
Basically this is a bug not a security lapse - just as it would be if it occurred on any other platform.
So what, its availabe
Don't care if it beta or not. That is use at your own risk. Issue here is that you can use the software to change/hijack someone else iTunes account.
If you leave your machine win a public place without locking the screen and requiring a password, you have already failed WAY more than Apple here.
yea, bad form, they should request the current key chain master password before allowing any other password changes, however, that's a "best practice" issue, not an actual security risk since it;s not possible to happen without a bigger security issue to start with. They have to get logged onto your machine to access this feature. If they can already do that, you have already lost. This is a small issue.
There has never been a single successful machine hack that allowed remote control of a Mac ITW ever. PWN2OWN has only been done using custom made web sites, and to get this control required he be at the machine when it happened, it can not be done by a bot or virus, and you have to fall for the phishing scam first...
keep drinking the coolaid
Wow I want to live in your make-believe land, shame entry to the cult is so pricey..
Sure its a beta, but its also...
Sure its a beta, but its also a security cracker for iTunes
...but only if they have already cracked your stronger security (got logged in as you on your machine).
Yes apple should change this. Changes to ANY passwords of local applications, especially those already tied into KeyChain, should prompt for the keychain password. However, this is a best practice, not really a security violation. They'll fix it because people went nuts, but the people don;t understand they've already lost if a hacker or thief is already at this screen...
@Sceptic, Bear Features et al.
Yes, but this is His Holiness we're talking about - Everything that comes from Cupertino is Godly perfection in code form, surely?
Apple don't *do* betas to test, debug and improve. They are there as marketing tools to be used by the early-adopting true Disciples.
Welcome to the last decade
Sorry, are you actually getting excited over what is essentially a videocall app, like the ones webcam users have had for years?
Why all the haste?Apple should have spent more time ...
testing - they are getting sloppy what with all their other recent glaring software failures. These are basic things that should have been caught way before any release.
Just an update on how it's been "fixed"
Apple's blocked Facetime's ability to log into the iTunes servers to change your account details.
Elegant? Not in the slightest.
If you leave your machine on and leave it running and someone takes control of your machine then your iTunes account being compromised is the least of your worries.
They could open a terminal and "rm - r" some important system files!
Oh noes, insufficient privileges!
Unless, of course, you've gone to the trouble of enabling the root user and then running as that root user...