A security hole has been found in FaceTime for Mac that allows someone with physical access to a user’s computer to change that person’s iTunes password without knowing the existing one.
Apple launched a public beta for FaceTime for Mac Wednesday. The application allows Mac users to video call other Macs as well as iPhone 4 and iPod Touch users.
According to Macworld Germany, when a computer is set up for FaceTime, the associated IT password can be changed by someone without re-entering the original password. To do this, someone would need to go into the preferences for FaceTime and select the associated iTunes account.
If someone selects “View Account,” that person can change the account password without the knowledge of the account owner and without entering the original password.
In addition, the FaceTime for Mac beta saves the iTunes password automatically, meaning that logging out does nothing to mitigate the issue because a new user could click the “sign in” button and access the account, according to reports.
With the password, someone could potentially purchase music while posing as the other person.
Apple did not respond to an eWEEK request for comment. FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available for download here.