Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Finally Fixes Unencrypted App Store Login

Posted by Unknown on from the stealing-your-fart-apps dept.

Deekin_Scalesinger writes "More than eighteen months after being first brought to Cupertino's attention, Apple gets around to addressing insecure logins to the App Store. In theory, this could be used to view lists of installed apps and make unauthorized purchases." Yep, they were sending login information over plain http.

5 of 52 comments (clear)

  1. Apple's reason for this by dreamchaser · · Score: 5, Funny

    Apple's official statement: "We used plain http because it 'Just Works'."

  2. A: Because it disrupts the flow of a message by DNS-and-BIND · · Score: 5, Funny

    Q: Why is starting a comment in the Subject: line incredibly irritating for everyone at Slashdot?

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  3. This is exactly what my ass by Sir+or+Madman · · Score: 5, Funny

    ociate once told me.

  4. Further evidence... by Anonymous Coward · · Score: 3, Funny

    ...that no-one doing anything relevant would choose Apple.

    This also explains why Apple has become very popular over the last decade.

  5. Re:Nice summary by Anonymous Coward · · Score: 5, Funny

    Yep, they were sending login information over plain http.

    Uh, no they weren't.

    They were serving mixed content. As a result, the unsecured content was vulnerable to a MITM attack and could be replaced by whatever the hacker wanted—even javascript that pops up a fake password prompt.

    But the login was definitely secured; you couldn't get someone's username and password just from captured packets. You could, however, gather certain less-sensitive information, most notably a list of installed apps used for update checks.

    It was a big vulnerability, and it's good they fixed it. If only more sites would stop including unsecure content on "secure" pages.

    Stop ruining our Apple bashing session with 'facts'.