or Connect
AppleInsider › Forums › Software › Mac Software › iTunes password security in FaceTime for Mac beta draws concern
New Posts  All Forums:Forum Nav:

iTunes password security in FaceTime for Mac beta draws concern

post #1 of 39
Thread Starter 
Apple's newly released FaceTime for Mac beta allows users to change their iTunes password without reentering their existing password, causing a potential security issue [update: View Account no longer works].

Update: Apple has not commented on the matter, but numerous users have reported that clicking the "View Account" option in the FaceTime for Mac application no longer works. No update for the software was released to initiate the change.

As noted by Patrick Woods of Macworld Germany, once a computer is set up for FaceTime, the associated iTunes password can be changed without reentering the current password. This would allow anyone with physical access to a user's computer the ability to change their iTunes password, and potentially take control of their account, without knowing the existing password.

This can be accomplished by going into the preferences for the FaceTime application and selecting the iTunes account that was entered when the application was first set up. Users can then choose "View Account," where there are two password fields that can be used to change the account password.

Of course the new password must meet all of the requirements of iTunes, including 8 characters, a number, an uppercase letter and a lowercase letter. But the password could be entered without the knowledge of the account owner, if someone had access to their computer.

Users can choose to log out of their iTunes account by using the "Sign Out" button, but this also does not address the issue, as FaceTime for Mac beta automatically saves the iTunes account's password. A new user could simply click the "sign in" button to access the account and change its password.



FaceTime is Apple's open standard for video chat, first introduced earlier this year on the iPhone 4. On Wednesday, Apple released the first beta of its FaceTime for Mac application, which allows Mac users to video chat with other FaceTime users on the Mac, iPhone 4, or fourth-generation iPod touch.

FaceTime for Mac automatically accesses a user's Address Book contacts, so there's no need to create special buddy lists. It also works seamlessly with the built-in camera and mic on Mac notebooks, the iMac desktop, and Apple LED Cinema Displays.

FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available at www.apple.com/mac/facetime.
post #2 of 39
And this is why public betas are a bad idea. Most end users have no idea about the implications, they simply think they're getting free/early software.

I also not that this security flaw requires physical access to the machine. Not exactly life threatening, but best to be tightened up.
post #3 of 39
Any idea when we will get a Windows version?
post #4 of 39
Quote:
Originally Posted by AjitMD View Post

Any idea when we will get a Windows version?

When someone malkes a Windows version? I'm just glad they didn't add it to iTunes to get a shortterm adoption boost.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #5 of 39
You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.
post #6 of 39
Quote:
Originally Posted by nkhm View Post

And this is why public betas are a bad idea. Most end users have no idea about the implications, they simply think they're getting free/early software...

So then who's really at fault here? Apple for releasing a "wanted" public beta, or those who install it without entirely understanding the concept of a "beta"? I agree Apple should not have overlooked something so basic before releasing a public beta but these types of releases help to collect vital information that not only benefits Apple in their development but the end user as well; should such products reach the retail status or even for the sake of releasing a final version much quicker.

I would never go as far as to say public betas are a bad idea, they just need to be carefully thought out and developed before release. I think we can all rest assured that this particular flaw will be fixed very quickly. Think of it this way: Apple overlooked this, the public quickly discovered it and made mention. If Apple spent this much time and never noticed the issue, how much more time would have been wasted before the issue was discovered (had there not been a public beta)? Not to mention what could have happened had this issue carried over into the final release or as a preloaded feature on all new Macs.
post #7 of 39
It's just magical.

It's a new feature along with the capability to work in facetime EVEN in a full screen mode, as it was emphasized during the keynote.



Quote:
Originally Posted by Magic_Al View Post

You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.

Like what?
What is more important on your PC than your credit card information. Which now can be easily used by a criminal? (Though only in the AppStore, but you would not be happy about the receipt you are going to get, for sure).
post #8 of 39
Quote:
Originally Posted by Magic_Al View Post

You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.

I am not sure ... I know it let's you change the e-mail, associated with FaceTime but I am not convinced it changes your actual iTune's account log in e-mail. I will have to re check. If it does I bet it is fixed asap.

FT works like a charm on our Macs BTW, I love it..
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
post #9 of 39
Apparently the beta doesn't check that the password is a minimum of eight characters either (despite the warning)...my wife set her FaceTime account up with less.
post #10 of 39
Quote:
Originally Posted by Felix01 View Post

Apparently the beta doesn't check that the password is a minimum of eight characters either (despite the warning)...my wife set her FaceTime account up with less.

Send feed back to Apple on that one!

Mine annoyingly offers my old .mac e-mail at log in not my .me. I know they are interchangeable but I'd love to move on already!
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
post #11 of 39
I think apple is already fixing this....my "view account" button no longer works


Edit: it works...
post #12 of 39
Color me un-afraid.

A simple fix from Apple of requiring the input of the current password to change it is all that's required. Hardly earth shattering. This is a very simple fix and the kind of thing that crops up in a public Beta.

Should Apple have seen this before it went public? Probably. But like others have said, if a nefarious person already has access to your open user account, they most likely have more on their mind that changing your iTunes password.

Small problem, easy fix, no real security threat. I trust Apple will address this.
post #13 of 39
Quote:
Originally Posted by KrakaJap View Post

So then who's really at fault here? Apple for releasing a "wanted" public beta, or those who install it without entirely understanding the concept of a "beta"? I agree Apple should not have overlooked something so basic before releasing a public beta but these types of releases help to collect vital information that not only benefits Apple in their development but the end user as well; should such products reach the retail status or even for the sake of releasing a final version much quicker.

I would never go as far as to say public betas are a bad idea, they just need to be carefully thought out and developed before release. I think we can all rest assured that this particular flaw will be fixed very quickly. Think of it this way: Apple overlooked this, the public quickly discovered it and made mention. If Apple spent this much time and never noticed the issue, how much more time would have been wasted before the issue was discovered (had there not been a public beta)? Not to mention what could have happened had this issue carried over into the final release or as a preloaded feature on all new Macs.

Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.
post #14 of 39
I still have not tried FaceTime, but the question I have is that I have just one email addy and one AppleID. How can I use my iPod Touch to call my Home Computer to chat with the wife/kids? I mean, can you call yourself?
post #15 of 39
My wife and I have a dual login on our iMac. I installed the beta on my side (worked wonderfully) but when I went to her login and launched the app (same bits) it came up with my id/pw populated and asking for permission to use my keychain.
And then when we put in her AppleID/pw, it could never authenticate.

I'm de-installing until this is worked out.

Looking forward to it working properly tho'... it's slick.
post #16 of 39
Quote:
Originally Posted by digitalclips View Post

Send feed back to Apple on that one!

Mine annoyingly offers my old .mac e-mail at log in not my .me. I know they are interchangeable but I'd love to move on already!

Check your personal entry in the address book app - this is where the info is coming from...
post #17 of 39
Quote:
Originally Posted by AjitMD View Post

Any idea when we will get a Windows version?

Quote:
Originally Posted by solipsism View Post

When someone malkes a Windows version? I'm just glad they didn't add it to iTunes to get a shortterm adoption boost.

They want iPhone and iPod touch users to strongly consider getting a Mac.
post #18 of 39
Quote:
Originally Posted by nkhm View Post

Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.

Most people won't care. The average user is much more average than we think... When it comes to "non-tech" people nowadays...

Anyways, hope Apple fixes it soon... Downloading it now...
post #19 of 39
Quote:
Originally Posted by Doorman. View Post

Like what?
What is more important on your PC than your credit card information. Which now can be easily used by a criminal? (Though only in the AppStore, but you would not be happy about the receipt you are going to get, for sure).

Just a few off the top of my head...

1) Save any passwords in your browser or keep a file laying around with all your passwords to various sites and banks?
2) Save any form information in your browser?
3) Use Quicken or something like it to manage your finances?
4) they can install a keylogger to get all your information in the future
5) they can change your password so you can no longer access your computer
6) they can wipe your hard disk
7) ....

this can go on forever. If someone gets physical access to your computer and has a malicious intent, you are screwed.
post #20 of 39
Quote:
Originally Posted by euler View Post

I still have not tried FaceTime, but the question I have is that I have just one email addy and one AppleID. How can I use my iPod Touch to call my Home Computer to chat with the wife/kids? I mean, can you call yourself?

I believe you will just have to open up a Yahoo, Hotmail or whatever email account from the home computer and use that for your other address to register and verify with Apple. I did this last night so that I wouldn't have to use my main Apple ID as my public FaceTime address, and it worked fine. So it seems you can set more than one address for the home computer under Preferences in FaceTime. I wonder if you can do the same with the touch or the iPhone.
post #21 of 39
Edited out.
post #22 of 39
Quote:
Originally Posted by nkhm View Post

Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.

I agree that Apple should have caught this, and you can be sure that at least one person has heard it - loudly.

But people DO want public betas, even though they're buggy, and even if they present security risks. Look at any free e-mail service. They've all had serious security breakdowns, most often, more than one. Yet, we don't see people moving away from hotmail or G Mail. Facebook has its own problems with security, but more people go there every day.

This is the least of most people's worries. As long as only someone you trust uses your machine, you're fine.
post #23 of 39
Quote:
Originally Posted by euler View Post

I still have not tried FaceTime, but the question I have is that I have just one email addy and one AppleID. How can I use my iPod Touch to call my Home Computer to chat with the wife/kids? I mean, can you call yourself?

Yes, you can call yourself. It's a little weird, but it works!
post #24 of 39
Here's an article about this from Arstechnica. It sums the problem up nicely, though the lead in says to be careful about who you call, though whomever you call can't get the password, so I don't know why they said that.

They make the point that the only thing someone getting your password sitting at your computer can do is buy stuff on iTunes, not break into your computer.

http://arstechnica.com/apple/news/20...urity-hole.ars
post #25 of 39
Quote:
Originally Posted by Magic_Al View Post

You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.

That's exactly what I was thinking!
post #26 of 39
Quote:
Originally Posted by Sgt Zeppelin View Post

Yes, you can call yourself. It's a little weird, but it works!

With the same email address on both the home computer and the iPhone/iPod? In other words, you don't need to use or establish a different email address for one of the devices?

That's euler's question. I was thinking that the way to do it would be to use a different email for one of them.
post #27 of 39
Quote:
Originally Posted by nkhm View Post

Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.

If you say so I'm not a member of the Mac developer community but I "wanted" the public beta... as did plenty of other people I know who are also not members of the Mac developer community. So to say "no one" is simply not true. But if you've ever worked in the software field you'd know that bad press is not always bad. People will always complain and there are even plenty of "developers" out there who don't report bugs... they simply sign up to be developers for their own reasons that do not always benefit the community. Ignorance of the term beta is no excuse to not take any personal responsibility, hence the user agreements that normally come with these betas. Do you not think Apple pays attention to blog posts and popular tech sites such as this???

Either way it makes no difference. This issue is pretty much insignificant IMO so the people who want to grumble about it... go right ahead. Just remember:

"...IMPORTANT NOTE: This is trial, pre-release, time-limited software meant for evaluation and testing purposes only. This software should not be used in a commercial operating environment or with important data. Before installing the Apple software, you should back up all of your data and regularly back up data while using the Apple software..." - Software License Agreement

They flat out told you right there that there may be issues. If you didn't read it... shame on you, not Apple. Take some responsibility people!
post #28 of 39
Quote:
Originally Posted by Doorman. View Post

What is more important on your PC than your credit card information. Which now can be easily used by a criminal? (Though only in the AppStore, but you would not be happy about the receipt you are going to get, for sure).

If someone has physical access to the machine, in most cases, they probably also have access to your email. This would mean an attacker can probably reset any password they want just by going to a web site and selecting the "forgot my password option".

-kpluck

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply
post #29 of 39
Oh wow, you mean if a hacker has physical access to my computer he can hack it? Wow! This is really news!
post #30 of 39
Interesting note:

I used Face Time on the Mac for the first time last night. After install, I called a friend with an iPhone 4 and we had a good chat with no hiccups. Before I dialed him though, I accidently hit the name above his (and they also have an iPhone 4) but I quickly stopped the call. Later on, after I had closed Face Time (no longer appearing in my Dock) that misdialed friend called me back from his iPhone and Face Time opened on my Mac with an option to Answer the call or to Cancel.

Before this I was thinking that in order to receive Face Time calls on the Mac I'd have to keep the app open all the time (like iChat), but that's obviously not the case. Pretty cool. Just thought I'd pass it on.
post #31 of 39
Attention people: Apple has seemingly solved the vulnerability! Now if you try and click the "View Account" button it simply does nothing. Apple has successfully solved the vulnerability for now. Good for them. In the meantime I will continue to enjoy this wonderful software!!! Hurrray for Apple support team!

Good work...
post #32 of 39
Quote:
Originally Posted by nvidia2008 View Post

Downloading it now...

So how did it go? Are you able to call yourself, i.e., do you have another FT device?
post #33 of 39
Quote:
Originally Posted by yensid98 View Post

Interesting note:

I used Face Time on the Mac for the first time last night. After install, I called a friend with an iPhone 4 and we had a good chat with no hiccups. Before I dialed him though, I accidently hit the name above his (and they also have an iPhone 4) but I quickly stopped the call. Later on, after I had closed Face Time (no longer appearing in my Dock) that misdialed friend called me back from his iPhone and Face Time opened on my Mac with an option to Answer the call or to Cancel.

Before this I was thinking that in order to receive Face Time calls on the Mac I'd have to keep the app open all the time (like iChat), but that's obviously not the case. Pretty cool. Just thought I'd pass it on.

That is cool! Thanks for the tip. Seems better than desktop Skype that you have to keep running in the background to take calls.
I also tried it last night and it was simple to use. I used my AppleID but another email address. So anyone ringing me would need my email address rather than my AppleID which obviously I will not disclose. Not sure why peeps seem to think this is a security problem, but whatever.

One potential security problem I do see is encryption. From what I have seen and heard on the net, FT is unencrypted. Which is a total bummer, especially if you are at Internet cafe.
..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
post #34 of 39
Lock your keychain when you leave your Mac unattended. Problem solved.
post #35 of 39
Quote:
Originally Posted by lostkiwi View Post

One potential security problem I do see is encryption. From what I have seen and heard on the net, FT is unencrypted. Which is a total bummer, especially if you are at Internet cafe.

Honestly it's not that easy. Unless you use FaceTime to transfer missel launch codes I wouldn't worry about it. Focus more on securing your wireless network with WPA2 standards.
post #36 of 39
Quote:
Originally Posted by DiscoNomad View Post

Honestly it's not that easy. Unless you use FaceTime to transfer missel launch codes I wouldn't worry about it. Focus more on securing your wireless network with WPA2 standards.

I was wondering how much of an issue this was. Not that I do much espionage, mind you, but what aspect of a FT call could be hacked, for lack of a better word, and how?

But I notice that the iPod's cameras do a great job with capturing text and handwriting of around 8 point size, so you could do FaceTime 'fax' of your codes and not risk being overheard.
post #37 of 39
I also discovered, if you give someone physical access to your machine, it's possible for them to delete all your files and render the OS unbootable! And if they happened to bring their own USB key or blank disc, they could make copies of ALL your personal information!!

This is a huge security flaw! I demand a fix immediately!
MacKeeper - confidence and security for your Mac!
Reply
MacKeeper - confidence and security for your Mac!
Reply
post #38 of 39
I have a Mac Mini without a camera. I wonder if I will need an iSight camera or if other cameras can work with Facetime also?

"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." Douglas Adams

Reply

"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." Douglas Adams

Reply
post #39 of 39
Quote:
Originally Posted by Realistic View Post

I have a Mac Mini without a camera. I wonder if I will need an iSight camera or if other cameras can work with Facetime also?

I too have a mac mini and I have the logitech webcam attached to it. I got FaceTime to work with it last night (although I occassionally get a message that the camera is already in use when it is no longer in use, but i have always had this problem even with iChat.)
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › iTunes password security in FaceTime for Mac beta draws concern