If you’re an iPhone user, you probably got an urgent message sometime last week prompting you to upgrade to iOS 7.0.6, the newest iOS update for all iOS devices. The main purpose of that upgrade was to resolve a major bug in its software concerning security and privacy. An error in Apple’s code revealed a SSL (Secure Socket Layer) vulnerability that would allow public networks and hackers to intercept private information such as email or login credentials or imitate secure sites to secure banking information. Your SSL connection verifies the validity of certain secure websites you visit, without it anyone can pose as your email or banking site.
Unfortunately, the bad news doesn’t stop there. Since the bug is found on Apple’s underlying code, the bug doesn’t just affect iOS devices, but all Apple devices running OS X Mavericks and Mountain Lion are exposed as well. Any application developed using Apple’s SSL Library is at risk. Some of these applications include FaceTime, Mail, and Calendar. Just yesterday, Apple released an OSX upgrade to patch this bug on OS X Mavericks and Mountain Lion. Aside from the security update, Apple included updates to Mail, iMessage, Safari, and FaceTime for Mavericks users.
Apple has millions of users and anyone of them could have had their information exposed during the period before the patch was released. Information such as credit card numbers, addresses, or other sensitive details sent over an unsecured network may have been stolen. A team of security researchers from FireEye, a security company, was able to install an app on an iOS device to demonstrate the severity of the bug. This app, which could pose as music software, could conduct background monitoring to keep track of every single tap on the screen and broadcast that information to a remote server. Although this has not been used, outside of a lab, it is an example of the vulnerability of the device without SSL protection.
This security issue was nicknamed the “goto fail” after the line of code that started this mess. As of today, it would seem as though the security issues are resolved. Since there is no guarantee that all Apple users have upgraded, its possible that certain users are still at risk, but for those who upgraded their software, it looks as though they and their information are safe for now.
Even though Apple was able to patch the bug fairly quickly, this whole issue raises some very troubling questions. Even though this bug has been around for months, why did Apple only find the “goto fail” now? What may have happened to users during that long period without SSL protection? What else has gone unnoticed? What else has been overlooked? It’s very troubling that a company as large as Apple could be susceptible to such a large error. In the end it may have been just an honest mistake, but with millions of users depending on you, shouldn’t you take extreme measures in order to keep them secure? Hopefully this whole event has taught us all something. Hopefully it taught users to be more wary and secure, and taught large companies such as Apple or even Google and Microsoft to do whatever needs to be done in order for this not to happen again.