iTunes password security in FaceTime for Mac beta draws concern

Posted:
in Mac Software edited January 2014
Apple's newly released FaceTime for Mac beta allows users to change their iTunes password without reentering their existing password, causing a potential security issue [update: View Account no longer works].



Update: Apple has not commented on the matter, but numerous users have reported that clicking the "View Account" option in the FaceTime for Mac application no longer works. No update for the software was released to initiate the change.



As noted by Patrick Woods of Macworld Germany, once a computer is set up for FaceTime, the associated iTunes password can be changed without reentering the current password. This would allow anyone with physical access to a user's computer the ability to change their iTunes password, and potentially take control of their account, without knowing the existing password.



This can be accomplished by going into the preferences for the FaceTime application and selecting the iTunes account that was entered when the application was first set up. Users can then choose "View Account," where there are two password fields that can be used to change the account password.



Of course the new password must meet all of the requirements of iTunes, including 8 characters, a number, an uppercase letter and a lowercase letter. But the password could be entered without the knowledge of the account owner, if someone had access to their computer.



Users can choose to log out of their iTunes account by using the "Sign Out" button, but this also does not address the issue, as FaceTime for Mac beta automatically saves the iTunes account's password. A new user could simply click the "sign in" button to access the account and change its password.







FaceTime is Apple's open standard for video chat, first introduced earlier this year on the iPhone 4. On Wednesday, Apple released the first beta of its FaceTime for Mac application, which allows Mac users to video chat with other FaceTime users on the Mac, iPhone 4, or fourth-generation iPod touch.



FaceTime for Mac automatically accesses a user's Address Book contacts, so there's no need to create special buddy lists. It also works seamlessly with the built-in camera and mic on Mac notebooks, the iMac desktop, and Apple LED Cinema Displays.



FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available at www.apple.com/mac/facetime.
«1

Comments

  • Reply 1 of 38
    nkhmnkhm Posts: 928member
    And this is why public betas are a bad idea. Most end users have no idea about the implications, they simply think they're getting free/early software.



    I also not that this security flaw requires physical access to the machine. Not exactly life threatening, but best to be tightened up.
  • Reply 2 of 38
    ajitmdajitmd Posts: 365member
    Any idea when we will get a Windows version?
  • Reply 3 of 38
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by AjitMD View Post


    Any idea when we will get a Windows version?



    When someone malkes a Windows version? I'm just glad they didn't add it to iTunes to get a shortterm adoption boost.
  • Reply 4 of 38
    You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.
  • Reply 5 of 38
    Quote:
    Originally Posted by nkhm View Post


    And this is why public betas are a bad idea. Most end users have no idea about the implications, they simply think they're getting free/early software...



    So then who's really at fault here? Apple for releasing a "wanted" public beta, or those who install it without entirely understanding the concept of a "beta"? I agree Apple should not have overlooked something so basic before releasing a public beta but these types of releases help to collect vital information that not only benefits Apple in their development but the end user as well; should such products reach the retail status or even for the sake of releasing a final version much quicker.



    I would never go as far as to say public betas are a bad idea, they just need to be carefully thought out and developed before release. I think we can all rest assured that this particular flaw will be fixed very quickly. Think of it this way: Apple overlooked this, the public quickly discovered it and made mention. If Apple spent this much time and never noticed the issue, how much more time would have been wasted before the issue was discovered (had there not been a public beta)? Not to mention what could have happened had this issue carried over into the final release or as a preloaded feature on all new Macs.
  • Reply 6 of 38
    It's just magical.



    It's a new feature along with the capability to work in facetime EVEN in a full screen mode, as it was emphasized during the keynote.







    Quote:
    Originally Posted by Magic_Al View Post


    You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.



    Like what?

    What is more important on your PC than your credit card information. Which now can be easily used by a criminal? (Though only in the AppStore, but you would not be happy about the receipt you are going to get, for sure).
  • Reply 7 of 38
    MacProMacPro Posts: 18,372member
    Quote:
    Originally Posted by Magic_Al View Post


    You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.



    I am not sure ... I know it let's you change the e-mail, associated with FaceTime but I am not convinced it changes your actual iTune's account log in e-mail. I will have to re check. If it does I bet it is fixed asap.



    FT works like a charm on our Macs BTW, I love it..
  • Reply 8 of 38
    felix01felix01 Posts: 253member
    Apparently the beta doesn't check that the password is a minimum of eight characters either (despite the warning)...my wife set her FaceTime account up with less.
  • Reply 9 of 38
    MacProMacPro Posts: 18,372member
    Quote:
    Originally Posted by Felix01 View Post


    Apparently the beta doesn't check that the password is a minimum of eight characters either (despite the warning)...my wife set her FaceTime account up with less.



    Send feed back to Apple on that one!



    Mine annoyingly offers my old .mac e-mail at log in not my .me. I know they are interchangeable but I'd love to move on already!
  • Reply 10 of 38
    I think apple is already fixing this....my "view account" button no longer works





    Edit: it works...
  • Reply 11 of 38
    Color me un-afraid.



    A simple fix from Apple of requiring the input of the current password to change it is all that's required. Hardly earth shattering. This is a very simple fix and the kind of thing that crops up in a public Beta.



    Should Apple have seen this before it went public? Probably. But like others have said, if a nefarious person already has access to your open user account, they most likely have more on their mind that changing your iTunes password.



    Small problem, easy fix, no real security threat. I trust Apple will address this.
  • Reply 12 of 38
    nkhmnkhm Posts: 928member
    Quote:
    Originally Posted by KrakaJap View Post


    So then who's really at fault here? Apple for releasing a "wanted" public beta, or those who install it without entirely understanding the concept of a "beta"? I agree Apple should not have overlooked something so basic before releasing a public beta but these types of releases help to collect vital information that not only benefits Apple in their development but the end user as well; should such products reach the retail status or even for the sake of releasing a final version much quicker.



    I would never go as far as to say public betas are a bad idea, they just need to be carefully thought out and developed before release. I think we can all rest assured that this particular flaw will be fixed very quickly. Think of it this way: Apple overlooked this, the public quickly discovered it and made mention. If Apple spent this much time and never noticed the issue, how much more time would have been wasted before the issue was discovered (had there not been a public beta)? Not to mention what could have happened had this issue carried over into the final release or as a preloaded feature on all new Macs.



    Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.
  • Reply 13 of 38
    eulereuler Posts: 78member
    I still have not tried FaceTime, but the question I have is that I have just one email addy and one AppleID. How can I use my iPod Touch to call my Home Computer to chat with the wife/kids? I mean, can you call yourself?
  • Reply 14 of 38
    gqbgqb Posts: 1,934member
    My wife and I have a dual login on our iMac. I installed the beta on my side (worked wonderfully) but when I went to her login and launched the app (same bits) it came up with my id/pw populated and asking for permission to use my keychain.

    And then when we put in her AppleID/pw, it could never authenticate.



    I'm de-installing until this is worked out.



    Looking forward to it working properly tho'... it's slick.
  • Reply 15 of 38
    nkhmnkhm Posts: 928member
    Quote:
    Originally Posted by digitalclips View Post


    Send feed back to Apple on that one!



    Mine annoyingly offers my old .mac e-mail at log in not my .me. I know they are interchangeable but I'd love to move on already!



    Check your personal entry in the address book app - this is where the info is coming from...
  • Reply 16 of 38
    nvidia2008nvidia2008 Posts: 9,262member
    Quote:
    Originally Posted by AjitMD View Post


    Any idea when we will get a Windows version?



    Quote:
    Originally Posted by solipsism View Post


    When someone malkes a Windows version? I'm just glad they didn't add it to iTunes to get a shortterm adoption boost.



    They want iPhone and iPod touch users to strongly consider getting a Mac.
  • Reply 17 of 38
    Quote:
    Originally Posted by nkhm View Post


    Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.



    Most people won't care. The average user is much more average than we think... When it comes to "non-tech" people nowadays...



    Anyways, hope Apple fixes it soon... Downloading it now...
  • Reply 18 of 38
    Quote:
    Originally Posted by Doorman. View Post


    Like what?

    What is more important on your PC than your credit card information. Which now can be easily used by a criminal? (Though only in the AppStore, but you would not be happy about the receipt you are going to get, for sure).



    Just a few off the top of my head...



    1) Save any passwords in your browser or keep a file laying around with all your passwords to various sites and banks?

    2) Save any form information in your browser?

    3) Use Quicken or something like it to manage your finances?

    4) they can install a keylogger to get all your information in the future

    5) they can change your password so you can no longer access your computer

    6) they can wipe your hard disk

    7) ....



    this can go on forever. If someone gets physical access to your computer and has a malicious intent, you are screwed.
  • Reply 19 of 38
    flaneurflaneur Posts: 4,518member
    Quote:
    Originally Posted by euler View Post


    I still have not tried FaceTime, but the question I have is that I have just one email addy and one AppleID. How can I use my iPod Touch to call my Home Computer to chat with the wife/kids? I mean, can you call yourself?



    I believe you will just have to open up a Yahoo, Hotmail or whatever email account from the home computer and use that for your other address to register and verify with Apple. I did this last night so that I wouldn't have to use my main Apple ID as my public FaceTime address, and it worked fine. So it seems you can set more than one address for the home computer under Preferences in FaceTime. I wonder if you can do the same with the touch or the iPhone.
  • Reply 20 of 38
    Edited out.
Sign In or Register to comment.