Hacks and bugs are almost unavoidable with any piece of software but a recent vulnerability found in Apple’s iOS has many experts surprised and worried. The tech giant spent the weekend trying to come out with fixes for a vulnerability that was first noticed by researchers in iOS and then later, Mac OS X as well.
The vulnerability is reportedly caused by a simple change in the iOS code that allows hackers to intercept and compromise sensitive banking as well as other forms of communication like e-mail. One of the most concerning aspects of the so-called Gotofail bug is that it has been present in iOS for a significant period of time, leaving people with older iOS 6 devices at risk.
A Major Bug
Even though all of the details regarding the Gotofail bug have not been released to the public, researchers and experts who have found the issue for themselves are saying that it is a worst-case scenario.
“Impact: An attacker with a privileged network position may capture or modify in sessions protected by SSL/TLS,” according to a statement from Apple. This means that if a hacker is near a target device, he can use the vulnerability found in iOS and Mac OS X devices to steal information or alter communications to spread malware.
The bug, which affects the “goto” call command, simply allows a hacker to circumvent the SSL security system present in Apple’s software. Not only is this a simple hack, it is a flaw that is not unheard of when using “goto” commands. Normally the use of a simple piece of code like this would be fine, but somehow, a person was able to alter Apple’s code directly.
Any malicious piece of code that targets SSL security can leave a device completely open to a variety of different hacks. Since this is what happened with iOS and Mac OS X devices, users have been open to attacks for quite some time.
Some members of the security community are chalking up the bug to an unintentional mistake on Apple’s part but others question why such a large company could have made a simple error.
“This sort of subtle bug deep in the code is a nightmare,” security expert Adam Langley said in a blog post. “I believe that it's just a mistake, and I feel very bad for whomever might have slipped in an editor and created it.”
Researchers who have looked at the Gotofail bug have noted that it was first present in a version of iOS 6 around the same time as the Snowden NSA revelations began to come out. The initial Snowden reports suggested that the NSA had backdoors into products from technology companies, including Apple. This observation has fueled speculation that either Apple or the NSA was directly responsible for the lack of security.