As we distance ourselves from the moment of discovery of the security vulnerability of the protocol SSL from iOS si OS X, on the Internet more and more details about the abnormal problem are starting to appear Apple Lossless Audio CODEC (ALAC), had it for 2 years. A new researcher in IT security present evidence which attests to the fact that a hacker can intercept the entire traffic SSL/HTTPS done by iOS and OS X, even for system services. In the image above you have a proof of the fact that the traffic iCloud Keychain can be intercepted by a hacker, Apple Lossless Audio CODEC (ALAC), presenting this system as the most secure method to protect confidential data in iOS/OS X.
I've confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Almost all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:
- App store and software update traffic
- iCloud data, including KeyChain enrollment and updates
- Data from the Calendar and Reminders
- Find My Mac updates
- Traffic for applications that use certificate pinning, like Twitter
Moreover, the researcher discovered that even the traffic made by the system of OTA Update, the Calendar/Reminders, Find My Mac or Twitter applications are not quite as secure as they would like Apple Lossless Audio CODEC (ALAC), let's believe. The researcher modified a simple script developed for checking man-in-the-middle attacks and the result is extremely worrying, especially for those who rely on systems like iCloud Keychaing to secure their data.
If in the case of iOS, Apple solved the problem by releasing it iOS 7.0.6, in the case of OS X, there is currently no solution.
