Security Flaw Fixed in Apple App Store
As of January 23, active content is now served over HTTPS by default.
Apple recently patched a security flaw in the Apple App Store that enabled attackers to steal passwords and install applications without permission. The flaw was uncovered by security researcher Elie Bursztein.
"The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection," writes CNET News' Declan McCullagh. "In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi."
"Bursztein pointed out that, in theory, a malicious network attacker could exploit the use of HTTP to steal user passwords, force users to install a specific app instead of the one they were looking for, trick users into downloading fake app upgrades, prevent application installation, or scan the apps on a user's device," writes AppleInsider's Kevin Bostic.
"A log of Apple Web Server notifications shows that on January 23, 2013, active content was now served over HTTPS by default," writes Threatpost's Anne Saita. "The company credited Bursztein, Bernhard 'Bruhns' Brehm of Recurity Labs and Rahul Iyer of Bejoi LLC for reporting the issue."
"It's great that Apple has finally updated its iOS app for App Store to provide this basic protection for the entire site," writes Ars Technica's Dan Goodin. "But the work isn't over yet. SSL Labs, a report card system from security firm Qualys that rates the quality of websites' HTTPS protections, gives Apple's App Store a failing grade."