Apple's iTunes Store had a vulnerability that accepted incorrect passwords from America Online (AOL) users, that could have been exploited by hackers.
Security researcher Joshua Long said he discovered the vulnerability more than six months ago but kept silent until Apple could fix the flaw."Apple recently worked with AOL to fix a vulnerability that has been discovered in the iTunes Store authentication process ... This vulnerability seemed to be a problem in the way Apple integrated AOL user names and passwords into its services," he said in his blog.Before the vulnerability was fixed, he said Apple would accept incorrect passwords from users logging into the store using an AOL Screen Name. Incomplete passwords, passwords with incorrect letter case, passwords with incorrect or extra characters at the end, or a combination of any or all of these, were accepted by Apple. "Knowledge of this vulnerability could potentially have been used by attackers, leading to disclosure of personally identifiable information, identity theft, and fraudulent purchases," he said.Long said the vulnerability took the whole six-month disclosure time limit to be announced.He said Apple was at first unresponsive to the problem and then when it did respond, it was initially unable to reproduce it. "When I discovered this security vulnerability last year, I felt that it was serious enough to warrant submitting it to a responsible third-party vulnerability management organization rather than only to Apple or AOL. I have submitted reports to both companies in the past, and I have found that sometimes it can take them a very long time to respond to a security issue," Long said.He noted that up to now, AOL "still doesn't seem to care about encrypting its Web-based e-mail service, in spite of Firesheep shining a spotlight on the problem last year.""I hoped that bringing in a third party to work with the vendor would help encourage the vendor to take the issue seriously and fix it more quickly," he said.He eventually asked upSploit to help inform the affected parties about the vulnerability and the date on which it will be disclosed to the public. "I believe that upSploit's persistence was a major factor in motivating the vendor to take action and to resolve the issue," he said. LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
vulnerablity