A critical security flaw was found in one of Apple’s SSL/TLS library that could let hackers intercept and modify your data on secure HTTPS sessions. While Apple issued a fix for iOS devices, the Mac remains vulnerable, as reported earlier.
Apple today gave a statement to Reuters saying that a fix for the Mac will be released very soon:
Apple Inc said on Saturday it would issue a software update “very soon” to cut off the ability of spies and hackers to grab email, financial information and other sensitive data from Mac computers.
Apple spokeswoman Trudy Muller told Reuters: “We are aware of this issue and already have a software fix that will be released very soon.”
The bug emerged out of a rather silly error where the portion of the code that verified the authenticity of the server was never reached. This meant that someone, who was on the same Wi-Fi network as you were, could intercept data being passed through secure channels to Gmail, Facebook etc., and potentially alter it. The consequences of this flaw are quite serious since banking sites, payment gateways depend upon SSL/TLS connections to prevent spoofing, and stealing of credentials.
There are conspiracy theories floating around about the bug being intentionally introduced by Apple, to give the NSA a way to tap into the data going through secure networks. The bug has been in the wild since more than a year, and even if it was a genuine mistake, there’s a high chance that it was already exploited by the NSA or malicious hackers to steal private data.
Now, with the bug being public, the risk is more than ever. Some of the precautions you can take:
- Connect only to trusted Wi-Fi networks. Do not connect to public Wi-Fi in cafes, conferences etc.
- Try to use Firefox or Chrome until the OS X fix is pushed out. The two browsers don’t use Apple’s library, so they’re safe.
- iOS 7.1 beta is still vulnerable, so you might want to switch back to the stable channel until a new beta is available.
We’ll keep you updated about this issue, and let you know as soon as the fix is available. Till then, update your iOS devices to iOS 7.0.6 or iOS 6.1.6, if you haven’t already. Don’t worry about losing your jailbreak, as evasi0n is already available for iOS 7.0.6.