Skip to main content
  1. Tech
  2. Gadgets & Tech
  3. Social Media

Apple gotofail bug affects Facebook and Twitter

See also

On Sunday, February 23, Andy Greenberg of Forbes reported that a security bug that affects many Apple computers and mobile devices could leave people vulnerable to hackers when they use Twitter, Mail and other popular apps.

According to Greenberg, "First, Apple revealed a critical bug in its implementation of encryption in iOS, requiring an emergency patch. Then researchers found the same bug is also included in Apple’s desktop OSX operating system, a gaping Web security hole that leaves users of Safari at risk of having their traffic hijacked. Now one researcher has found evidence that the bug extends beyond Apple's browser to other applications including Mail, Twitter, FaceTime, iMessage and even Apple's software update mechanism.

"On Sunday, privacy researcher Ashkan Soltani posted a list of OSX applications on Twitter that he says he's determined use Apple's 'secure transport' framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL."

Greenberg pointed out that the list might not include everything that is affected by the bug because Soltani only analyzed the programs on his own computer. Having said that, Soltani identified at least eight popular programs that will be vulnerable to attack unless Apple users download a security update that was released on Friday, February 21 that fixes the bug.

According to Greenberg, "Soltani, an independent researcher whose recent work has included analyzing the surveillance documents leaked by NSA contractor Edward Snowden on behalf of the Washington Post, warns that the security of several applications on that list are severely compromised, including Apple's email program Mail, scheduling app Calendar and the its official Twitter desktop client.

"The bug affects how Apple devices authenticate their secure connection with servers, allowing an eavesdropper to fake that verification and hijack or corrupt traffic using what's known as a 'man-in-the-middle' attack. 'All these apps would be vulnerable to the same man-in-the-middle vulnerability outlined on Friday,' Soltani says."

On Saturday, February 22, Kevin Poulsen of Wired explained what could happen if Apple users in the greater Spokane area don't download the latest security update.

According to Poulsen, "Apple released iOS 7.0.6 [Friday, February 21] to patch the bug in its implementation of SSL encryption — the Internet's standard defense against eavesdropping and web hijacking. The bug essentially means that when you're e-mailing, tweeting, using Facebook or checking your bank account from a shared network, like a public WiFi or anything tapped by the NSA, an attacker could be listening in, or even maliciously modifying what goes to your iPhone or iPad."

The new iOS update protects many Apple mobile devices from the bug. Desktop computers and laptops may still be vulnerable. Greenberg reported that an update for OS X 10.9.1. should be available "very soon."

According to Poulsen, "The issue... is indeed fixed in the new iOS 7.0.6 (which you should install, if you’re using iOS 7.) An update to iOS 6 pushed [Friday] fixes the bug there as well. Reportedly, OS X 10.9.1 is still affected by the vulnerability."

Poulsen's reference to the NSA was probably an allusion to all the rumors that have been circulating among computer experts that the bug was a deliberate attempt by the government to spy on Apple users

Chris O'Brien of the Los Angeles Times gave an overview of what people have been saying about the bug on Sunday, February 23.

According to O'Brien, "... others wondered whether the code was a deliberate attempt to create a backdoor for government spy agencies. They pointed to the fact that some researchers have discovered that the bug first appeared in a version of iOS 6 at about the same time that slides released by Edward Snowden indicate that the National Security Agency claimed it had established a backdoor into some products by Apple.

"'It’s purely circumstantial,' wrote noted Apple follower John Gruber who writes the Daring Fireball blog. 'But the shoe fits.'

"Apple, as have other tech companies named by Snowden, has repeatedly denied that it has created any kind of backdoor into its products for U.S. government spy agencies."

O'Brien went on to say that other experts think the bug was simply an honest coding mistake.

According to O'Brien, "... several critics said the concerns over the gotofail bug were overblown. And they noted that cybersecurity experts have routinely detected far more security holes in Google's Android operating system."

Whether the bug was created by accident or deliberately, Apple users in the greater Spokane area should download the mobile security updates as soon as possible. O'Brien added that experts recommend not using Apple's Safari web browser until the bug is patched on their devices.

Advertisement

Don't Miss

  • Massive
    Ubisoft Massive exclusive: 'The Division', PS4 & Xbox One, Activision to Ubisoft & more
    Camera
    Games Exclusive
  • iPhone
    Get your wallet ready: The next iPhone could cost $100 more than your last one
    Video
    Tech Buzz
  • Civ
    Need to catch up on 'Sid Meier's Civilization'? Here is everything you need to know
    Camera
    Games Feature
  • Google Glass
    See how Google Glass is letting sick kids go to the zoo without leaving the hospital
    Tech News
  • Upcoming
    These are 2014's biggest PS4, Xbox One and Wii U games
    Camera
    Games Feature
  • Google
    Google has filed for a patent to develop contact lenses capable of taking photos
    Video
    Headlines

User login

Log in
Sign in with your email and password. Or reset your password.
Write for us
Interested in becoming an Examiner and sharing your experience and passion? We're always looking for quality writers. Find out more about Examiner.com and apply today!