[SC-L] Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com
Kenneth Van Wyk
ken at krvw.com
Thu Mar 12 09:41:00 EST 2009
Hello SC-Lers,
I saw this blog and thought it may be of interest here:
http://blogs.zdnet.com/security/?p=2861
According to the blog, there's a design issue (read: flaw) in iTunes
that can allow a maliciously formed podcast to cause a user to get
prompted for a username/password -- to iTunes itself. That dialog box
can then be hijacked and the victim's credentials stolen.
What made it interesting to me was a couple things: first, the cited
advisory from Apple (http://support.apple.com/kb/HT3487) clearly says
it's a design issue. Tells me we're not likely to see a real fix for
a while, IMHO. Indeed, Apple's initial "fix" to this design issue is,
"This update addresses the issue by clarifying the origin of the
authentication request in the dialog." That doesn't sound like much
of a fix at all, and I'd expect a lot of users will still fall for the
dialog box ruse. Sigh...
Cheers,
Ken
-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://krvw.com/pipermail/sc-l/attachments/20090312/04c1b8b1/attachment-0001.bin
More information about the SC-L
mailing list