Gotofail SSL Bug Also Affects Mac Apps Like Mail And FaceTime

Yesterday we told you about the worrisome SSL bug that affected both iOS and Mac. Of course Apple has already patched the bug, nicknamed Gotofail, on iOS but on the Mac the bug is still prevalent when using Safari. At first it was thought this bug only applied when users were browsing the net through Safari, but now it has been discovered the situation is much worse.

Private security researcher, Ashkan Soltani has found that the bug also affects other Mac applications such as Mail, FaceTime, Messages, Calendar etc., and not just Apple’s Safari browser. According to Forbes:

On Sunday, privacy researcher Ashkan Soltani posted a list of OSX applications on Twitter that he says he’s determined use Apple’s “secure transport” framework, the coding library that developers depend on to build programs that securely communicate online using the common encryption protocols TLS and SSL. The full list, which isn’t comprehensive given that Soltani only analyzed the programs on his own PC [..]

[..] The bug affects how Apple devices authenticate their secure connection with servers, allowing an eavedropper to fake that verification and hijack or corrupt traffic using what’s known as a “man-in-the-middle” attack. ”All these apps would be vulnerable to the same man-in-the-middle vulnerability outlined on Friday,” Soltani says.

It is worth noting that there is an extra layer of security in place for these applications, which may reduce the effects of the security vulnerability, but certain parts of the protocol like the initial handshake that rely on TLS could still be vulnerable to man-in-the-middle attacks. Furthermore, Apple’s update mechanism could also be vulnerable to spoofing.

screenshot-gotofail

Red underlines show the vulnerable applications.

The vulnerability is a result of a silly error which some have even said was intentionally introduced by Apple, to give the NSA a way to tap into the data going through secure networks. So just what was this error? Well it emerged from the portion of the code that verified the authenticity of the server was never reached. Essentially someone on the same Wi-Fi network as you could intercept data and alter it / steal your sensitive information.

Right now your only protection from this vulnerability is to only connect to networks you trust, not public networks.

Gotofail SSL Bug Also Affects Mac Apps Like Mail, Messages And FaceTime

Untethered iOS 12 Jailbreak Demoed by Ali Security

iOS 12 Now Available for Download: Compatible Devices

iPhone X Discontinued, iPhone 8 and iPhone 7 Prices Slashed

Apple iPhone Xs, iPhone Xs Max, and iPhone Xr Announced

Apple Watch Series 4 Announced With Larger Display, Louder Speaker, and More

Flashing Android 4.1.2 Jelly Bean On Galaxy Tab 7.7 Using The ParanoidAndroid ROM [How-To Guide]

How To Fix SSL Vulnerability On iPhone, iPod Touch, iPad Not Running iOS 4.3.5 Using isslfix

How To: Add Jailbreak Widgets To iOS 5 Notification Center

How To Jailbreak iOS 7 - 7.0.4 Untethered On iPhone, iPod Touch And iPad With Evasi0n 7 [Mac OS X / Windows]

How To Download And Install WinterBoard Themes To iPhone, iPod Touch, iPad [VIDEO]

Leave a Reply