Apple on Friday revealed a major SSL (Secure Socket Layer) vulnerability in its software that affects all devices, allowing hackers to intercept and alter communications such as email and login credentials for countless Apple hardware users.
A new version of Apple’s iOS for its tablets and phones was rushed out the door Friday to patch the vulnerability, wherein its mobile, tablet and desktop software is not doing SSL/TLS hostname checking — communications meant to be encrypted, are not.
The patch has only been issued for the more recent iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation).
Security researchers across several communities believe that Mac computers are even more exposed, as they are currently left hanging without a patch.
Unfortunately, Apple has not released a statement on when to expect this patch, nor what version range of iPhone, iPad, iPod touch, or Mac computer is affected by the major, and somewhat shocking, flaw.
The vulnerability allows anyone with a certificate signed by a “trusted CA” to do a man-in-the-middle (MITM) attack.
A man-in-the-middle attack seamlessly intercepts communication — and more, like unencrypted passwords — between yourself and your intended recipient or website, and according to OWASP, “the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.”
A malicious entity could also impersonate a trusted website to install malware or steal valuable data, such as in September when Belgium’s largest telecom provider Belgacom was hacked and exploited via fake LinkedIn and Slashdot pages.