Secure Coding mailing list archives
Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com
From: ken at krvw.com (Kenneth Van Wyk)
Date: Thu, 12 Mar 2009 07:41:00 -0700
Hello SC-Lers, I saw this blog and thought it may be of interest here: http://blogs.zdnet.com/security/?p=2861 According to the blog, there's a design issue (read: flaw) in iTunes that can allow a maliciously formed podcast to cause a user to get prompted for a username/password -- to iTunes itself. That dialog box can then be hijacked and the victim's credentials stolen. What made it interesting to me was a couple things: first, the cited advisory from Apple (http://support.apple.com/kb/HT3487) clearly says it's a design issue. Tells me we're not likely to see a real fix for a while, IMHO. Indeed, Apple's initial "fix" to this design issue is, "This update addresses the issue by clarifying the origin of the authentication request in the dialog." That doesn't sound like much of a fix at all, and I'd expect a lot of users will still fall for the dialog box ruse. Sigh... Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20090312/04c1b8b1/attachment-0001.bin
Current thread:
- Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com Kenneth Van Wyk (Mar 12)
- Rigged podcasts can leak your iTunes username/password |Zero Day | ZDNet.com Jim Manico (Mar 12)