Paranoid iPhone owners used a privacy tool that made them hackable

If you’re an iPhone or Mac user who has taken precautions to protect your privacy, you shouldn’t ignore the most recent software updates Apple’s been trying to push to your device.

Stop clicking “remind me later,” because last month’s security updates fix a critical issue affecting those using proxies for their connections. The bug allowed attackers lurking on networks to see proxy users’ passwords and any information being sent over supposedly secure channels.

Proxy connections are often used to create a safer, more secure internet browsing session. Government agencies and corporations use proxies, as do many commercial Virtual Private Networks (VPNs) used by political activists, dissidents, and the universally paranoid. Ironically, the people who took extra precautions to protect themselves were made vulnerable.

As is unfortunately all too common, the bug has been around for years thanks to a mistake in the way proxies were authenticated.

“Because this is exploiting the way the protocol works, you can’t tell if you’ve been exploited or not,” said Jerry Decime, the long-time security researcher who discovered the vulnerability, dubbing it “FalseCONNECT.” (He describes it in greater length and technical detail here.)

FalseCONNECT affects a number of different tech companies, but hit Apple hardest, Decime told me.

“With Apple, you could fully get in the middle of the https proxy communication so it’s the worst,” he said. Decime has been working for months with US-CERT, Apple, and a number of other companies on fixing the flaw. Apple released an update to fix it in iOS and OS X last month, but just revealed the issue in its security notes this week, crediting Decime.

This month, Apple revealed that it’s going to start making payouts as high as $200,000 to people who discover bugs in its software. But Decime, who hoped to donate FalseCONNECT related bounty payouts to the Electronic Frontier Foundation, was told he wouldn’t be paid one because he discovered the vulnerability before Apple announced the new program and that bounties wouldn’t be paid for protocol implementation vulnerabilities. Apple did not respond to my request for comment.

“Ultimately this was a very shallow bug… sitting just under the surface in an area of browser interaction which was not thoroughly evaluated,” wrote Decime on his website. “For the security community this is yet another wake-up call that we still have shallow bugs in some of our most trusted solutions.”

And for the non-security community, it’s a good reminder to promptly download updates to your software and apps. They often involve fixes you really don’t want to miss.

 
Join the discussion...