OS X and iOS prone to man-in-the-middle attacks – update
Apple has released a patch for iOS that fixes a serious vulnerability in the SSL/TLS implementation. However, OS X also seems vulnerable. The bug makes it possible to view data traffic that should be encrypted.
Apple has released iOS 6 and 7 updates to versions 7.0.6 and 6.1.6. According to the manufacturer, there was a bug that “made it possible for an attacker with elevated network privileges to capture and modify protected data via ssl/tls”. The cause would be a failure to properly validate the authenticity of the connection, but the details are still scarce.
In other words, it is possible for an attacker to see https:// traffic from an unpatched iOS device running over a network to which it is also connected. SSL/TLS is primarily intended to protect sensitive data connections such as internet banking, online purchases and webmail, but the encryption protocols are being used at more and more sites. Especially with connections to free public networks, the bug that has now emerged is a danger.
However, multiple sources, such as security company Crowdstrike, report that not only iOS, but also OS X contains the faulty ssl/tls implementation. According to NeoWin, only https:// traffic with direct IP addresses is vulnerable and URLs with domain names are not. It is unclear which versions of OS X are affected, but according to Neowin it is in any case Mavericks.
The advice to iPhone and iPad users is to update to the latest iOS version as soon as possible. It is also recommended to avoid connections to networks whose reliability is not certain. Apple is expected to release an update for OS X, but it hasn’t been announced yet.
Update, 15.30: The error would be with a double ‘goto fail’ in the code. As a result, the check whether the certificate belongs to the private key would be skipped, argues Adam Langley of Google, among others.