13 Replies Latest reply: Nov 11, 2010 12:30 AM by michaelbix
Easybourne Level 1 Level 1 (110 points)
I just had a quick play with FaceTime and too my horror have discovered that when you go to Preferences > View Account the summary screen shows the Date of Birth and the answer to your secret question in the clear. The Account password is obscured, but by having the other information exposed, it is a trivial matter for anyone that gains access to a Mac that has been set up with FaceTime to run riot with one's iTunes and Apple Store accounts that are associated with the Apple ID.

I think I'll shy away from it for a bit.

iMac 27" 3.06 C2D, iMac 24" 2.8 GHz, Mac OS X (10.6.2), Time Capsule 1TB; AppleTV 160GB; iPod Touch 2nd Gen 32GB; iMac G5; iMac G3 DV
  • 1. Re: FaceTime - Serious security issue with Beta
    J.C Level 4 Level 4 (1,595 points)
    I strongly suggest that you submit a bug report at http://developer.apple.com/bugreporter/

    J.C
  • 2. Re: FaceTime - Serious security issue with Beta
    Easybourne Level 1 Level 1 (110 points)
    I already sent feedback via the App's own 'Provide FaceTime Feedback' option. But for belt and braces, I'll post to the link you supplied - thanks.
  • 3. Re: FaceTime - Serious security issue with Beta
    Easybourne Level 1 Level 1 (110 points)
    Actually, I can't report via the link provided as I am not a member of the developer program. Maybe if there is anyone reading this that is a member of the developer program, perhaps they could report it.

    Thanks.
  • 4. Re: FaceTime - Serious security issue with Beta
    macjack Level 9 Level 9 (50,520 points)
    It may be a bug... but I'm not so sure about how much it compromises security.
    Your date of birth is public knowledge and if the answer to your secret question, gives away your password, you need a better answer that doesn't?

    btw - I haven't downloaded the beta yet because video phone from my Mac isn't a big draw for me. Actually, video from any device isn't I prefer voice.



    -mj
  • 5. Re: FaceTime - Serious security issue with Beta
    macjack Level 9 Level 9 (50,520 points)
    Easybourne wrote:
    Actually, I can't report via the link provided as I am not a member of the developer program.

    Membership is free.



    -mj
  • 6. Re: FaceTime - Serious security issue with Beta
    Easybourne Level 1 Level 1 (110 points)
    Of course it compromises security. The secret question and answer is used for when you can't remember the password and answering the question correctly enables you to CHANGE the password, thereby granting you access to the account.

    Having the secret question answer available is a s good as exposing the password.

    As for the date of birth, it is another piece of information that can be used to crack accounts.

    It is a problem.
  • 7. Re: FaceTime - Serious security issue with Beta
    Easybourne Level 1 Level 1 (110 points)
    macjack wrote:
    Your date of birth is public knowledge


    OK, when was I born?
  • 8. Re: FaceTime - Serious security issue with Beta
    macjack Level 9 Level 9 (50,520 points)
    That's not exactly what I meant. By public knowledge, I mean it can be easily found on lists (some of which were generated at your birth.) You've also filled your DOB on countless forms. Since, I'm not a blackhat I'm not interested in investing the time and effort it would take for me to prove something to you.
    Try a "People" search and see the stuff you can come up with. Or, Google this post. You wouldn't want me to post it here, if I could.



    -mj
  • 9. Re: FaceTime - Serious security issue with Beta
    Easybourne Level 1 Level 1 (110 points)
    This isn't a discussion about what you can find out. It's me reporting that there is a problem with information that should be hidden being visible.

    That's it.

    The point is - the FaceTime beta potentially makes it very easy for someone to gain access to an iTunes account by giving such a miscreant access to the information that is necessary to change the account password, thereby locking out the original owner of the account.
  • 10. Re: FaceTime - Serious security issue with Beta
    m0thr4 Level 1 Level 1 (95 points)
    Easybourne wrote:
    I just had a quick play with FaceTime and too my horror have discovered that when you go to Preferences > View Account the summary screen shows the Date of Birth and the answer to your secret question in the clear. The Account password is obscured, but by having the other information exposed, it is a trivial matter for anyone that gains access to a Mac that has been set up with FaceTime to run riot with one's iTunes and Apple Store accounts that are associated with the Apple ID.


    This is exactly the same as the account page you get to via the Apple Store website and the "Edit Account details" screen you get in iTunes Store. In both of those cases, your secret question/answer and date of birth are all displayed in clear text.

    In all these cases, to view this information, you first have to enter your AppleID password, so I don't really see that Facetime carries any greater risk than has already been present for several years.
  • 11. Re: FaceTime - Serious security issue with Beta
    Easybourne Level 1 Level 1 (110 points)
    m0thr4 wrote:


    In all these cases, to view this information, you first have to enter your AppleID password, so I don't really see that Facetime carries any greater risk than has already been present for several years.


    The difference with the FaceTime issue (which has been kind of fixed now BTW) was that FaceTime *stayed logged in* and didn't prompt for a password to access the account prefs page. Quite an important distinction.
  • 12. Re: FaceTime - Serious security issue with Beta
    m0thr4 Level 1 Level 1 (95 points)
    Easybourne wrote:
    m0thr4 wrote:


    In all these cases, to view this information, you first have to enter your AppleID password, so I don't really see that Facetime carries any greater risk than has already been present for several years.


    The difference with the FaceTime issue (which has been kind of fixed now BTW) was that FaceTime *stayed logged in* and didn't prompt for a password to access the account prefs page. Quite an important distinction.


    Ah, ok. It doesn't stay logged in for me, so they must have fixed it.
  • 13. Re: FaceTime - Serious security issue with Beta
    michaelbix Level 1 Level 1 (5 points)
    My "to my horror" was that I received (and granted) a request from "apsd-ft.apple.com" to load perform an update, and I became mistrustful as I watched a full 12-minute load in at DSL speeds, without any other i.d. occurring. I reacted too slowly to the possibility it was a spoof and didn't truncate if quickly enough.

    As a consequence this busy-beaver "upgrade" (trojan) immediately severed my TimeMachine... knowing I'd try to reconstruct a version of my MacBook Pro preceding the download; denied further reading of my boot disk to TimeMachine; made the (new) external backup drive unbootable... by that machine anyway; changed about four pages of permissions to give itself writing powers and to block attempts to see it or eliminate it; and then inserted a routine to prevent fixing permissions. Any permission fix does tons of stuff... and then at the end of the "fix" all errors are reset back to their previous "error" state favouring the trojan which rode in upon some FaceTime security breach.

    As a consequence my MacBook Pro is a deer blinded in the headlights, and no backup is possible (or desirable... I don't want to over-write the last good version). I must get FaceTime out but I'm not sure what it will take to completely eliminate this little sieve-like monster.