A security hole in the FaceTime for Mac beta can be used to change a user's password for their iTunes account.
A security hole has been found in FaceTime for Mac that allows someone with
physical access to a user's computer to change that person's iTunes password
without knowing the existing one.
Apple launched a public beta for FaceTime for Mac Wednesday. The application
allows Mac users to video call other Macs as well as iPhone 4 and iPod Touch
users.
According
to Macworld Germany, when a computer is set up for FaceTime, the associated
IT password can be changed by someone without re-entering the original
password. To do this, someone would need to go into the preferences for
FaceTime and select the associated iTunes account.
If someone selects "View Account," that
person can change the account password without the
knowledge of the account owner and without entering the original
password.
In addition, the FaceTime for Mac beta saves the iTunes password
automatically, meaning that logging out does nothing to mitigate the issue
because a new user could click the "sign in" button and access the
account, according to reports.
With
the password, someone could potentially purchase music while posing as the
other person.
Apple did not respond to an eWEEK request for comment. FaceTime requires Mac
OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is
available for download here.
Email
Print
