Security consultant takes less than a day to exploit OS X bug to capture all SSL traffic

ssl

Update: The bug has been fixed in OS X 10.9.2

Security consultant Aldo Cortesi said in a blog post (via ZDNet) that it took him less than a day to exploit the goto fail bug in OS X to capture all SSL traffic, and that there’s a good chance he isn’t the first to have done so – an implicit suggestion that the vulnerability may already be being used in man-in-the-middle attacks.

I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:

  • App store and software update traffic
  • iCloud data, including KeyChain enrollment and updates
  • Data from the Calendar and Reminders
  • Find My Mac updates
  • Traffic for applications that use certificate pinning, like Twitter … 

The proof of concept was pulled together from information in the public domain. Cortesi said that he modified an existing man-in-the-middle proxy, mitmproxy, to exploit the bug. He tweeted a series of screenshots showing captured SSL data, including iCloud keychain traffic and data from software update.

It’s difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic. This extends to the software update mechanism itself, which uses HTTPS for deployment.

Cortesi says that he will not supply further details of how he achieved the interception until Apple has patched OS X.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. depicus (@depicus) - 9 years ago

    Then don’t use public access points, make sure you are on a known network. It’s one thing doing it in a lab but another in the real world

    • mockery17 - 9 years ago

      10.9.2 can’t come soon enough. This is one of the few times I am not on the defensive side when it comes to Apple blunders.

    • varera (@real_varera) - 9 years ago

      Not a big issue. Make a fake access point for an open Wifi, that’s quick and could trick a lot of people.

    • ibitebcareful - 9 years ago

      I love your advice. People use macs because they’re simple to use and you don’t have to be a chip head to use one. You and I aren’t going to get caught up in this mess because we’re aware of it. How many people do you think, at this exact moment, are on their macbooks in a coffee shop, fast food restaurant, or wherever, and have NO CLUE this bug exists? That’s the issue.

      • depicus (@depicus) - 9 years ago

        And how many of those people would be going to secure websites that contain the ip address not a fqdn ? Not many I suspect. Yes there is a risk but lets keep it in context because we run the risk of crying wolf too many times.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear