Apple's iOS patch reveals security flaw that affects third-party apps on OS X

Advertisement
By NDTV Correspondent | Updated: 24 February 2014 15:02 IST
Apple's iOS patch reveals security flaw that affects third-party apps on OS X

Researchers have discovered that a massive security hole in iOS 7 and OS X also affects third-party desktop software. While iOS has been updated, no fix is available for OS X yet. Apple released the iOS 7.0.6 update on 21 February to patch a flaw in Safari's SSL authentication code that would have allowed attackers to bypass it altogether and intercept sensitive communications such as credit card information and login credentials.

Security researchers at Crowdstrike reverse-engineered the iOS 7.0.6 update and discovered that the holes patched by it also exist in OS X. Another reasearcher, Ashkan Soltani, has now posted a screenshot to Twitter highlighting a number of apps other than Safari that use the same framework. These include built-in apps such as Calendar, Keynote, FaceTime, Mail and Software Update as well as third-party apps such as Twitter. Apple allows developers to use Secure Transport while building their own apps, which means hundreds more could be affected.

Both sources have refused to divulge specific information to the public, in order to prevent potential attackers from learning more about how to exploit the flaw.

The flaw allows for a "man-in-the-middle" attack, which makes it possible for anyone on the same wired or wireless network to intercept SSL-encrypted traffic and decrypt it by pretending to be the intended recipient, for example a secure website. Such data can then be modified before it is passed on to the actual recipient and traffic returning can be intercepted as well, giving the attacker full access to your online accounts and credentials. People using public Wi-Fi hotspots are particularly vulnerable, as attackers can sniff for vulnerable computers and capture secure data without the affected users ever knowing.

Advertisement

Apple calls its implementation of SSL authentication framework Secure Transport. The same code is used in Safari on Apple's desktop operating system, OS X, and is also available to third-party apps. 

Here are some of the apps which rely on the vulnerable Apple #gotofail SSL library beyond Safari /cc @a_greenberg pic.twitter.com/ombDOOa01A

Advertisement
-- ashkan soltani (@ashk4n) February 23, 2014

Apple has confirmed that an update for OS X is in the works, but users are advised to avoid using the Safari browser, especially if connected to public Wi-Fi hotspots. Apple has also released an update to iOS 6 for older devices, including the iPhone 3GS and older iPod touch models, which cannot run iOS 7 but are also affected.

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Our Fault OTT Release Date: When and Where to Watch Final Chapter of Culpables Online?
  2. Best Smartphones Under Rs 25,000 in India: Check List
  3. OnePlus 13s Launched in India: Know Price, Specifications and More
  4. Redmi Pad 2 With 9,000mAh Battery Launched in Global Markets: See Price
  5. OnePlus 13s Review
  6. AirPods Pro 2, AirPods 4 May Get New Head Gestures, Camera Control, More
  7. OnePlus Pad 3 With 12,140mAh Battery Launched in India: Check Features
  8. OnePlus 13s vs iQOO 13: Price in India, Specifications Compared
  1. Hugging Face Releases SmolVLA Open Source AI Model For Robotics Workflows
  2. Redmi Pad 2 With 9,000mAh Battery, MediaTek Helio G100 Ultra Chip Launched: Price, Specifications
  3. Alphabet CEO Expects to Keep Hiring Engineers as AI Advances
  4. Amazon Said to Be Preparing to Test Humanoid Robots for Deliveries
  5. Google Doubles Gemini 2.5 Pro Rate Limit for Google AI Pro Subscribers
  6. Apple Said to Have Given iPhone Repair Business to Tata India as Partnership Expands
  7. Huawei Pura 80 Pro, Pura 80 Pro+ Design Teased; Pre-Reservation Begin
  8. Mistral Code AI-Powered Coding Assistant Introduced for Enterprise Developers
  9. Nothing Headphone 1 Launch Date Set for July 1, to Arrive Alongside Nothing Phone 3
  10. Ethereum Foundation Announces Overhauled Treasury Strategy Amid Scaling Push
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.