Apple releases iOS 7.0.6 fixing a serious SSL/TLS vulnerability

Information regarding the vulnerability is currently terribly scarce, but judging by the information in the Apple KB, it sounds very serious indeed and would allow man-in-the-middle attacks on SSL/TLS connections.

The problem was apparently found by Roland Moriz when trying to use curl on Mac OS, where it failed to identify a simple Common Name mismatch. (email proof)

What this means in reality is that someone who sits between you and a target site, such as your bank or Facebook, would be able to listen in on your traffic and potentially modify information as it is being sent to the server.

How I Lost My $50,000 Twitter Username

This is some seriously scary stuff.

It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.

Social engineering has been done since the beginning of time. Giving out credit card information, regardless of who is asking for it should just not be done. Since it has the powers to be used as a password substitute, it should be treated in the same manner.

Using two-factor authentication is a must. It’s probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn’t help for everything.

There is no reason to not use two-factor authentication these days. Do however take note1 of all sites using two-factor auth connected to your phone , in case you need to change the phone number in the future2.

  1. I use a tag in 1Password for all sites requiring two-factor authentication. 

  2. This happened to me a while ago (a story for another day), which has lead me to always make it a conscious decision when entering my phone number on a website. I keep track of websites having my phone number using a tag in 1Password.