Apple's FaceTime for Mac debuts with security holes This article is being updated to note that, according to Apple Insider, this bug is no longer reproducible. Apple has provided no comment, and no update for the beta was released to effect the change. Apple's recently released FaceTime for Mac beta allows users to make important iTunes account changes without first entering …
It's a doozey, and this should be better addressed, but it is also a beta, and only an issue if someone can actually log onto your session. If you're in a public place, leave your machine without logging out, and don't have a password set for login from a screen saver (or boot), that's YOUR problem. Yes, you should not be able to change a password without a confirmation, but you should not be able to get TO this without knowing the keychain password first...
Its a lower levekl security risk than people are playing on. yes, it should be corrected anyway, it;s just bad form, but it is not an invalid practice in itself, or a bug.
If someone has physical or virtual (VNC) access to your mac then I presume that your itunes account would be the least of your worries.
This is a huge non-problem. Either the attacker has to use malware to plant remote login software or someone has to have physical access to your mac. Unless the first method of attack (malware) has been proven and is currently wild then the only people who can take advantage of this 'security hole' are those around you everyday.
If someone has physical access to your mac then the likelihood is that you'll have auto-fill/autologin enabled on loads of sites and therefore they'd be able to reset your account anyway.
Basically this is a bug not a security lapse - just as it would be if it occurred on any other platform.
If you leave your machine win a public place without locking the screen and requiring a password, you have already failed WAY more than Apple here.
yea, bad form, they should request the current key chain master password before allowing any other password changes, however, that's a "best practice" issue, not an actual security risk since it;s not possible to happen without a bigger security issue to start with. They have to get logged onto your machine to access this feature. If they can already do that, you have already lost. This is a small issue.
There has never been a single successful machine hack that allowed remote control of a Mac ITW ever. PWN2OWN has only been done using custom made web sites, and to get this control required he be at the machine when it happened, it can not be done by a bot or virus, and you have to fall for the phishing scam first...
...but only if they have already cracked your stronger security (got logged in as you on your machine).
Yes apple should change this. Changes to ANY passwords of local applications, especially those already tied into KeyChain, should prompt for the keychain password. However, this is a best practice, not really a security violation. They'll fix it because people went nuts, but the people don;t understand they've already lost if a hacker or thief is already at this screen...
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
