FaceTime for Mac Has a Nasty Security Hole (Update)
Yesterday, Apple rolled out the previously iPhone- and iPod Touch-only FaceTime videochat software to Mac computer users; however, as the German blog MacNotes has discovered, the current beta version of FaceTime for Mac has a security hole that could leave some users’ Apple ID accounts compromised. Given that this could be used by an interloper to change the FaceTime user’s password, locking them out of their own Apple account, as well as make purchases from the iTunes store, this is cause for concern.
Update, 10/22: It’s been fixed.
We started having a closer look at the settings when Gernot pointed us at some issues: Once you’ve logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it — in plain text, without another password request.
Another issue happens while logging out: When you choose “Log Out” from the top menu, the password remains in the password field, even when restarting the application. That shouldn’t be the case tho: Applications should remove passwords from the password field as soon as the application is closed.
TUAW is snarkily dismissive of these concerns: “In related security news, cash registers left unattended with their drawers open are likely to be robbed and cars left running with the doors unlocked are likely to be stolen … any miscreant who has physical access to your computer is a potential security threat.” Their point is well taken — giving others access to your computer when you’re logged into various online programs and sites is usually a bad idea — but the security procedures that are missing are pretty standard online, and with good reason, rooted in bad experiences past. There’s no reason for Apple not to add another password entry speed bump and to clear the FaceTime password from the password entry field after users log out.
Fortunately, this is only day one of FaceTime for Mac, and most of the people who’ve already tried it out are likely tech-savvy Apple power users: Indeed, the point of releasing an early beta before handing the program over to the masses is to detect bugs like this early. This doesn’t seem like it’ll be particularly difficult for Apple to fix, but it’s bad enough that they should get on it pronto.