Apple has revealed a new type of HTTPS attack on its iOS and OSX platforms, one which was able to mimic the encrypted handshake system on each device and employ standard man-in-the-middle tactics to collect information on communications between two separate systems.
According to security experts at the company, the attack itself was relatively simple in its penetration vectors, which is one of the major reasons the security team missed it upon their first pass.
“In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other. To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection.”
The flaw resides in the secure transport mechanism of iOS version 7.1 and earlier for iPhones and iPads and the Mountain Lion 10.8.5 and Mavericks 10.9.2 versions of Mac OS X, according to advisories posted by the company earlier this morning.
Thankfully, Apple was relatively quick to the draw on this one, already releasing patch 7.1.1 to address the issue and seal up the hole which left traffic exposed for the millions of users who rely on their device to communicate with friends, family, and acquaintances from around the world.
The issue was also easily exploitable on the OSX platform, utilizing many of the same pathways to achieve similar results on laptops and desktops which belong to many high-level security officials both in and outside of the government sector.
No word yet on any major hauls of information pulled from the net as a result of the bug, however we should expect to see some pushback on the update as the news of its distribution continues on from here.