News: 21. Oktober 2010,

FaceTime for Mac – a serious threat for your Apple ID

FaceTime MacWhile many users are happy about having FaceTime on their Mac, we are a little anxious about some security glitches present in the current beta of the software. With a few clicks others can make use of the user’s Apple ID and reset the password with ease.

We started having a closer look at the settings when Gernot pointed us at some issues: Once you’ve logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it – in plain text, without another password request. To reset the password to an Apple ID, all you need it the exact birth date and the answer to the security question – we tried that out for you, and it worked fine.

Werbung






Even without the plain text answer the password reset itself is a little akward – closer friends and families usually know answers to the standard questions, such as favourite number or certain names. Unfortunately there’s no way to deactivite the security question password reset.

Another issue happens while logging out: When you choose “Log Out” from the top menu, the password remains in the password field, even when restarting the application. That shouldn’t be the case tho: Applications should remove passwords from the password field as soon as the application is closed.

Our tip: Either don’t use FaceTime at all or make sure your computer is save – set a master password and never leave your machine open and running in a public place. Otherwise you might get an unusual surprise at some point.

Update 22 Oct 10am: Apple has fixed the flaw. When you open the menu now you can’t see the account data anymore and the menu jumps back.

Weitersagen

Zuletzt kommentiert



 8 Kommentar(e) bisher

  •  dyn (21. October 2010)

    iTunes, iPhone, iPod Touch, iPad, iChat, Adium, Mail, Safari, Firefox, etc. all have the same option: you can view your account, change passwords, etc. I’ve tried it in FaceTime, the option is there but it does nothing, it switches back to the previous view (it doesn’t display my account details). Being logged into any service/application on your machine opposes a security risk for anyone that has physical access to it. This is hardly a FaceTime security issue, it’s a general issue. It is the main reason why one should use a password on one’s computer and lock the machine when leaving. Logging out of the application/service also helps. The only problem in this case would be the fact FaceTime keeps remembering the password. Something Hotmail does as well if you opt for it.

  •  Gustav (21. October 2010)

    FaceTime does not store your password. Your keychain does. The MobileMe system preferences, iCal, etc. use the same keychain entry. Any developer could write an app that does this. They could sneak onto your computer, run their app, click “Allow” and get the password from the keychain and access the same information that FaceTime does. If you lock your keychain when not near your Mac, neither FaceTime nor anything else can get your password or access the site.

  •  Conrad (21. October 2010)

    Why does everyone think this is such an issue!? Who is using your computer that’s not you!? For Pete’s sake, put a freakin’ password on the thing. What’s wrong with you?

  •  Matt (21. October 2010)

    Oct 20’s FaceTime beta also automatically creates a keychain item (without asking if you want to save it in the keychain) containing the account and password so that even if you sign out, the next time you open the application your username and password are automatically filled in.

    To prevent password storage, you have to sign out, quit FaceTime, and manually delete the keychain item. This is ridiculous.

  •  Joe di Stefano (21. October 2010)

    Good point, dyn meint. There is a similar “security issue” with the Finder, where if someone has access to your computer they can drag your documents into the trash and then erase them, without even knowing your birthday!

  •  Grogor (21. October 2010)

    This is a glitch and I am sure it will be fixed soon. Of course you can already reset most peoples online passwords if you have access to their computer. Most computers do not require a password every time email is accessed. I could walk up to any PC, enter the users email into Amazon.com. Enter that I forgot the password. A recovery email is sent to the computer I am using. Since email is already logged in, I can now change the password.

  •  airmanchairman (21. October 2010)

    Funny enough, iTunes has consistently refused to save my password and I tried several times to “correct” this so that I don’t have to authenticate every time I make an app or music purchase. The thing is, every time I download an update to iTunes, the problem returns.

    Then I thought about it – it isn’t a problem, it’s a good thing – a very slight inconvenience but a very good security feature.

  •  securiour (22. October 2010)

    Apple is testing a Facetime beta version which runs on Mac. The German company has reported a password flaw in which the application Facetime running on your computer, the password can be changed without authetication of supplying old password.
    http://www.securiour.com/2010/10/21/facetime-running-on-mac-has-password-security-issue/


Leave a Reply

Your email address will not be published.



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Werbung