back to article Apple iOS 7 security bug allows fiendish wags to easily empty your wallet

Apple has updated iOS 7 to fix a security bug that allowed miscreants to buy stuff from the online Apple Store without having to tap in a valid password. The Cupertino idiot-tax operation said new version 7.0.4 patches a flaw that affected in-app and app purchases. Usually, one must supply his or her Apple account username …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Holmes

    I recall the 90's

    when Apple users said their devices were completely secure, because they were built from the ground up to withstand attack.

    And all the security experts said "no, you just don't have any market share, so your software isn't getting attacked".

    And now we know the truth: A company with a little over 10% smartphone and PC market share has almost daily security flaws being exposed. Imagine how bad it would be if they ever hit 90% market share like Windows of the 90's.

    1. Anonymous Coward
      Anonymous Coward

      Patched

      Unlike the security bugs in Android!

      1. Anonymous Coward
        Anonymous Coward

        Re: Patched

        Don't think I'll be swapping iOS and it's few, pretty minor and quickly fixed bugs with the many more, more serious and often never fixed (or available to the vast majority of the installed base) with Android.

        Fact is bugs happen but Apple tends to fix them quickly and they are available and installed by the majority of users very quickly.

    2. Anonymous Coward
      Anonymous Coward

      Re: I recall the 90's@ Andy Prough

      I think you are being a little selective over your 'facts'.

      The original iPhone didn't appear until around 2007 and as to the security issues and Apple Computers being more secure really didn't materialise as a marketing point until after the introduction of OSX in 2001. Granted there was a server version introduced in 1999, but the marketing ploy, Apple is more secure really didn't come of age until well after 2001.

      The Internet wasn't introduced to the public until the mid 1990's and Apple and Microsoft were not at each other's throats competitively until well into the 2000's.

      So the fact that you 'recall' the 90's makes me think once again you are full of s..t.

      You Plonker.

    3. PC1512

      Re: I recall the 90's

      Andy, I'd say the "truth" is that now Apple have very significant market share in both phones and tablets, their security is proving extremely robust. Next to their nearest competition (Android) there is next to no malware, have been virtually no successful attacks, just a handful of bugs that have routinely been squashed long before anyone was able to exploit in the wild.

      Compare that to Microsoft in the 90's - or even now - and it's chalk and cheese.

      Macs too have expanded their market, although to a much lesser degree. They're a far bigger and juicier target for hackers and yet.. What has happened? There was the rapidly shut down flashback Trojan a year or two ago (exploiting a java weakness that lead to a complete rebuild of how and even if Java is included in Mac OS) and then... What? What happened to the security apocalypse that people like you have been predicting all these years? As a mac user I certainly haven't seen it.

      1. Anonymous Coward
        Anonymous Coward

        Re: I recall the 90's

        Look at all the infected or soon to be vulnerable XP machines still out there - horrendous. Mac desktops / laptops may have a smaller market share but they have a tiny fraction of the security issues / bugs.

    4. a53

      Re: I recall the 90's

      It's a trojan that relies on the naiveté of the user. Software writers can only do so much to compensate for someone doing something really stupid with their device. Whereas a lot of android, MS malware is just badly written and open to virus, etc.

    5. SuccessCase

      Re: I recall the 90's

      @Andy Prough, so that hacker conference - from The Register's own story:

      "A Japanese team from Mitsui Bussan Secure Directions earned $40,000 after showing how they could steal sensitive data from a Samsung Galaxy S4 and install attack code using flaws in software that is factory installed on the device. "

      This is actually a problem with Chrome on Android, so affects more than just Samsung handsets.

      "Meanwhile, an eight-person team from Keen Cloud Tech in China showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials and a photo from a device running iOS 6.1.4, earning them $27,500 in prize money. The attack didn’t defeat Apple's sandboxing technology; otherwise they would have earned a lot more."

      This is one of the very few genuine security problems that has been reported for iOS. Beyond the above, at the same conference, an exploit was demoed showing Internet Explorer on Surface allows the Sanbox to be breached. So actually iOS has again *again* faired better than the competition.

      Also of course, once the fix is produced, it is a simple fact it will be applied to the iOS user base orders of magnitude quicker than the competition will achieve. Where Android is concerned, many if not most users will *never* see a fix applied.

      Please try to justify your "almost daily" claim with links to actual proven exploits. Actually do the research and compare with Android. Then come back and post something informative and that isn't just talking out of your hat. It's OK to advance a view or a preference, but please try not to let it turn into a "throw anything at em' " yah-booh fest with empty claims, just because "those other idiots read Marvel and I read DC."

    6. Anonymous Coward
      Anonymous Coward

      Re: I recall the 90's

      has almost daily security flaws being exposed

      You must be living in a parallel Universe. Daily? You do know that refers to a 24h span, don't you?

      1. Anonymous Coward
        Anonymous Coward

        Re: I recall the 90's

        You little boys don't recall all the Macro viruses of the mid-90's. Or the AutoStart or Sevendust worms for Macs in the late 90's. Most of those were spread via floppy or CD. Used to be, you didn't need internet access to spread a bit of chaos.

        But, none of that stopped Apple users (and some Apple execs) from claiming their OS was "immune" from malware attacks. They built a whole ad campaign around it in the early 2000's. The only reason their myth of Apple security spread was because Mac had only 1-2% market share, and because of the tiny user base most people didn't know anyone who had suffered a Mac infection.

        1. jubtastic1

          Re: I recall the 90's

          I ran a Prepress bureau in the 90's, back when the whole industry was macs and the odd fuckwit with a ms publisher doc. We had a constant stream of unreliable syquest disks, zips and floppies coming through the door from other mac outfits as well as over the ISDN line.

          Mac viruses in the 90's were so stupidly rare, and so simple that a single bloke maintained a free system extension called disinfectant that cleared them up. I have no recolection of ever having a problem with viruses back then and in truth little has changed over the years.

        2. James O'Shea

          Re: I recall the 90's

          I remember SevenDust and the AutoStart worm very well. I also remember that they were the very last significant Mac malware until last year. And they were ridiculously easy to kill; if I recall correctly, AutoStart could be contained by, well, simply turning off the autoplay feature on the Mac's optical drive. And it was trivial to detect and remove: do a search for an invisible file named 'DB' and kill it, and it's gone. Or just use John Norstad's free A/V tool Disinfectant. As for the macro viruses... _Microsoft_ fixed that, and the majority didn't work properly (or, in many cases, at all) on Macs because the idiots developing them were Windows-fixated and did silly things such as searching for a 'C:\' drive or a 'Windows' folder. As Macs don't have those things (unless someone went out of their way to rename the drive or to set up a folder) whole classes of macro viruses simply failed to even install. And a lot of the ones which did install were little more than nuisances, unless then could somehow be transferred over to a WinBox, in which case it was the WinBox's problem. If the WinBox had adequate A/V, _it_ killed the virus. If it didn't have adequate A/V, that comes under the heading of Not My Problem unless I was responsible for maintaining it... and all WinBoxes under my control had adequate A/V. There were a few macro viruses which actually worked on Macs. A very few. I even saw one, once... in captivity after it had landed on a Mac which was someone else's responsibility. That admin detected it before it could do any damage and caged it. He'd have just killed it, except that he wanted to show that there was a Genuine, Actual, For Real, Mac virus, as he'd never seen one before. I swapped it for a copy of the AutoStart worm that I had located. Those two items were the first two Mac malware that I'd seen in _six years_, and the _last_ ones that I have _ever seen at all_. That's right, I have seen any Mac malware since _1998_. The recent flurry of trojans has completely passed me by. Maybe I'm just lucky. Or maybe you're making a mountain out of a molehill.

          1. SuccessCase

            Re: I recall the 90's

            @James O'Shea

            As a PC --> Mac convert, it's interesting to observe human nature playing out in these forums. Every Mac user knows Mac experience re: security and malware has always been far better than the Windows PC experience and still is. Mac users know it because so few of them have ever encountered any problems. I've certainly not met anyone who has, though I have read very occasional stories about people who have.

            But having this experience, finding every Mac user we ever meet in the flesh has had the same experience, it's quite interesting how many people there are in these forums who come across as desperate to run the Mac down. They don't understand how by making the claims they do, they immediately mark themselves before the Mac users as immature idiots with no actual experience of the platform.

            It's also interesting to observe how many commentators have predicted the imminent sea-change in the Mac experience with malware armageddon about to strike. It's been in perpetual "about to strike" mode, certainly since I started using Mac OS in 2007 and probably from far before then. Hasn't struck yet though has it.

            It seems only people who run Linux have an understanding of what it's like to not ever unduly worry about malware infecting the OS.

            1. Anonymous Coward
              Anonymous Coward

              Re: I recall the 90's

              Amazing how myopic Mac owners can be. Was it only a year ago that Flashback was running rampant through Mac systems worldwide? Hundreds of thousands of systems were infected, and if I recall, the backdoor was used to hack into more than one corporate system and compromise user data. Through Flashback, a 600,000 Mac botnet was created.

              But no - instead we get these comments - "Herp-derp - I've never met a Mac user who has had an infection, herp-derp." You guys are continuing to spread a fairly destructive mythology of superior security, which causes Mac users NOT to take routine protection protocols seriously.

              Do you really think that the users on this forum DON'T know the vulnerabilities of Unix-like systems? People who set up Linux and BSD servers and networks for a living have a pretty good idea of what's required to secure a system like OSX. Failing to heed their warnings has left many of your users open to Flashback, Mac Defender, and other OSX-targeting malware.

              1. SuccessCase

                Re: I recall the 90's

                "Flashback, Mac Defender, and other OSX-targeting malware."

                Your so funny and predictable @Andy Prough. There you have mentioned the only TWO out in the wild pieces of Malware that have affected Macs with any appreciable volume, even going so far as to mention the figures for the widest spread infection (which by the way was patched by Apple, so no need for 3rd party AV). But we both know why your list stopped with those two, don't we. Because finally you have done some checking before commenting and you couldn't find any more, could you.

                But having realised that, rather than comment on how remarkable that is, you couldn't help but continue your usual line in BS by adding "and other OSX targeting malware." Additionally of course as the 600,000 infected machines is the widest spread of malware attack out of the two, thanks for illustrating why my point as to why it is I have never to have met, in the flesh, any Mac owner who has suffered a malware problem. Given the Mac user-base is over 66 million, I might still meet that 1 in 100 user who found his/her system patched by Apple and restored to full health anyway.

                "People who set up Linux and BSD servers and networks for a living have a pretty good idea of what's required to secure a system like OSX."

                Sounds very sage with a bit of "take it from me" mixed in. But really have I been transported back to the 1990's when systems would come delivered with open ports running insecure services and no firewall? So I've just purchased my new Mac, do tell me, what additional action I now need to take to secure it ?

                BTW, if you have a security sensitive business, I agree it is important to switch on disk encryption. Apple as a matter of policy have decided there is no point in even pretending unencrypted systems are protected from miscreants who have even limited physical access to the machine. Also if you are integrating a Mac with your business network you should be sure you know what you are doing with network services.

                I also fully understand, if a skilled hacker has reason to target you and wants to gain access to your machine, they will be able to gain access and the only way to secure a machine from a concerted attack is to lock it in a room with no network connectivity. Every user, Mac users included, should be aware of the basic don'ts needed to keep a system safe from generalised attacks and if you have reason to think you might be more than just a target for generalised attack (e.g. you do business where you deal with or know of people who could be be motivate to target you in particular), then you need to take special security measures and implement strict procedures. But none of that changes the simple fact that for the general population, with regard to malware and security, the experience of owning a Mac is nothing like the experience of owning a PC.

              2. Anonymous Coward
                Anonymous Coward

                Re: I recall the 90's

                Amazing how myopic Mac owners can be

                Amazing how people can spout off about stuff they don't know anything about. Here is a clue: it takes more than using Google to get some hits on virus infections. Like a number of other people, I'm a Windows to Mac convert, and that's for desktop use - as for servers, I've used every version of Unix going from SunOS onwards, including HPUX and the mildly irritating AIX (I hate menus). As for desktops , well, I think I've seen it all and here is an interesting tale: I did NOT like Macs many years ago when I was forced to use OS 9 at a rather well known UK telco.

                As a result of working in large corporates I have been exposed to every version of Windows more or less from GEM upwards and had to mine the crap out of them for vulnerabilities, and as a security specialist I've worked pretty much on every part of the stack from the cable upwards, all the way to the wetware (as I studied psychology too), and you nitwit, assert that I'm myopic for using a Mac.

                Well, here is an exercise for you. Actually BUY a Mac. Spend some money instead of being a cheap git jealously sniping from the corner because you cannot leave the suckling teat of a Microsoft desktop, or because you cannot admit that the Linux desktop needs people writing good software for it that *gasp* costs actual money. You seem to have a moderate clue about systems, so try it. Stop the BS.

                If you spend 3 months using OSX and do not suddenly discover that you have been wasting a Godawful amount of time patching instead of just using the machine, if you don't realise that your network is suddenly not at max capacity with all the daily virus scanner updates, if you don't discover that usability is not just a marketing gimmick but something that actually makes a machine usable even if you ARE already an expert, if you don't discover that buying the software to do a moderately advanced job is significantly cheaper than on a Windows platform, than you have not bought and used a Mac at all.

                What *I* recall from the 90s was a USENET where you could actually have a good technical discussion about platform differences and where this could help, instead of it being swamped with idiots bleating about their personal choice because they haven't got a clue or the brains to try things. We talked about interoperability instead of the monoculture which lovingly prepared the devastating bang that ended the 90s: the ILOVEYOU virus.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: I recall the 90's

                  @AC 23:06 -

                  > "Well, here is an exercise for you. Actually BUY a Mac. Spend some money instead of being a cheap git jealously sniping from the corner because you cannot leave the suckling teat of a Microsoft desktop"

                  We put money into Macs at my company. I'm not a fanboi however - I see the good and the bad with Mac, and personally I only find them to be more productive and cost-effective in some very narrow use cases. Mixing bits of music and video for promotional campaigns is one of those use cases.

                  > "If you spend 3 months using OSX and do not suddenly discover that you have been wasting a Godawful amount of time patching instead of just using the machine"

                  I haven't spent hardly any time in many years "patching" machines - most of that gets set up on a schedule - even on our Linux boxes. Macs don't take any more or less time to keep "patched" than Windows. Of all the OS's, the Linux boxes are probably the most complicated to keep up-to-date (although apt makes it incredibly easy), but they are also by far the most complex, versatile, cost-effective, and productive all-around systems. We probably spend a small amount more time "patching" our Linux boxes because we demand a lot more from them.

                  By the way - if you ever want to see a system that requires NO maintenance time - get yourself a cheap little Chromebook. They are NICE.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: I recall the 90's

                    By the way - if you ever want to see a system that requires NO maintenance time - get yourself a cheap little Chromebook. They are NICE.

                    Ala, I work with just about the most sensitive data you can get about people's personal life. There is no hope in hell I will ever get near a Chromebook - also because I travel too much. I need to be able to work offline, and Chromebooks have not impressed me with their offline abilities, it's not what it's designed for.

    7. TheVogon

      Re: I recall the 90's

      "allows fiendish wags to easily empty your wallet"

      Surely that was always a fundamental feature of Apple products?

    8. Anonymous Coward
      Anonymous Coward

      Re: I recall the 90's

      "And now we know the truth: A company with a little over 10% smartphone and PC market share has almost daily security flaws being exposed. Imagine how bad it would be if they ever hit 90% market share like Windows of the 90's."

      Quite correct - OS-X is already on over 2,000 security vulnerabilities - versus Microsoft's worst ever OS - XP - on about 600....Ditto Linux distributions - e.g. SUSE 10 - over 3,800 vulnerabilities. IOS has had over 400 security vulnerabilities to date. But all of these never really hit high market share percentages.

      Android is built on Linux and Java - both pretty much the worst in their respective fields for security vulnerabilities...And has 80%+ market share - and surprise surprise - it has thousands of Malware versions...

      1. Fred Flintstone Gold badge

        Re: I recall the 90's

        Quite correct - OS-X is already on over 2,000 security vulnerabilities - versus Microsoft's worst ever OS - XP - on about 600....Ditto Linux distributions - e.g. SUSE 10 - over 3,800 vulnerabilities. IOS has had over 400 security vulnerabilities to date. But all of these never really hit high market share percentages.

        You know that the "k" behind the 600 has a meaning too, don't you?

  2. Anonymous Coward
    Anonymous Coward

    meh

    If you don't auto lock your phone and use a passcode and or fingerprint (touch id) then of course any unattended device is open to abuse

  3. Anonymous Coward
    Anonymous Coward

    Writing style?

    The Cupertino idiot-tax operation

    the fanboi's credit card on record

    Adds no value to the reporting

    showed off a fresh new set of techniques for infiltrating iOS devices

    Which was also demonstrated for Android.

    What is this, click trolling?

    1. Anonymous Coward
      Anonymous Coward

      Re: Writing style?

      They like to think they are being irreverent and funny.

      "The Cupertino idiot-tax operation"

      Not sure how they square that with the Consumer Intelligence Research Partners (CIPR) survey that found people with Apple devices are younger, richer and have more masters degrees or doctorates compared to e.g. people who own Samsung phones.

      "The fanboi's credit card on record"

      Type in "food coupon app" on Google and see which platform gets the top four links. I guess that's a readily available form of payment for Android fanboi's.

      1. Anonymous Coward
        Anonymous Coward

        Re: Writing style?

        "Type in "food coupon app" on Google and see which platform gets the top four links. I guess that's a readily available form of payment for Android fanboi's."

        Laughed so much I spat my rice out at my wife!

        1. dougal83

          Re: Writing style?

          ""Type in "food coupon app" on Google and see which platform gets the top four links. I guess that's a readily available form of payment for Android fanboi's."

          Laughed so much I spat my rice out at my wife!"

          Laughing at poor people... Classy.

          1. Anonymous Coward
            Anonymous Coward

            Re: Writing style?

            "You'd have to have a heart of stone not to laugh at the death of Little Nell "

            Oscar Wilde quote which says something profound about the nature of humour and also provides a good measure for how to determine the humourless.

            1. dougal83

              Re: Writing style?

              ""You'd have to have a heart of stone not to laugh at the death of Little Nell "

              Oscar Wilde quote which says something profound about the nature of humour and also provides a good measure for how to determine the humourless."

              Also shows how much of pretentious tw@t you are but there you go. One for you:

              The only true wisdom is in knowing you know nothing. - Socrates

              1. Anonymous Coward
                Anonymous Coward

                Re: Writing style?

                Way to prove my point.

                1. dougal83

                  Re: Writing style?

                  Lol, says the guy who proved mine and had none. You do know you're on "Anonymous Coward" right? The option for witless wonders who know what they're typing is merely detritus on the inter webs. If you bother with any more meaningless replies, enjoy the tumble weed my old bean.

              2. Anonymous Coward
                Anonymous Coward

                Re: Writing style?

                Your true wisdom clearly exempts you, by showing you have got none.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Writing style?

                  Obvious troll is obvious.

        2. Anonymous Coward
          Anonymous Coward

          Re: Writing style?

          Also try (on google): get a life app

          Google play number 1 of course.

          1. Anonymous Coward
            Anonymous Coward

            Re: Writing style?

            iTunes(App store): Fling Poo

            Much better! Us 'roiders just shove our hand down our knickers and bring up an ass apple and throw it IRL. True story.

  4. nanchatte

    Really?

    "Idiot tax operation"? How long did you spend coming up with that. It was like that "Foxconn rebrander" title bestowed last week... While I like a humorous dig as much as (or perhaps even a wee bit more than) the next man, these little epithets are getting rather tiresome and detract from the overall quality of the article.

  5. Ted Treen
    FAIL

    "...The Cupertino idiot-tax operation..."

    ...as reported by the Laystall Street kiddie-scribble operation...

This topic is closed for new posts.

Other stories you might like