iTunes password security in FaceTime for Mac beta draws concern
Apple's newly released FaceTime for Mac beta allows users to change their iTunes password without reentering their existing password, causing a potential security issue [update: View Account no longer works].
Update: Apple has not commented on the matter, but numerous users have reported that clicking the "View Account" option in the FaceTime for Mac application no longer works. No update for the software was released to initiate the change.
As noted by Patrick Woods of Macworld Germany, once a computer is set up for FaceTime, the associated iTunes password can be changed without reentering the current password. This would allow anyone with physical access to a user's computer the ability to change their iTunes password, and potentially take control of their account, without knowing the existing password.
This can be accomplished by going into the preferences for the FaceTime application and selecting the iTunes account that was entered when the application was first set up. Users can then choose "View Account," where there are two password fields that can be used to change the account password.
Of course the new password must meet all of the requirements of iTunes, including 8 characters, a number, an uppercase letter and a lowercase letter. But the password could be entered without the knowledge of the account owner, if someone had access to their computer.
Users can choose to log out of their iTunes account by using the "Sign Out" button, but this also does not address the issue, as FaceTime for Mac beta automatically saves the iTunes account's password. A new user could simply click the "sign in" button to access the account and change its password.
FaceTime is Apple's open standard for video chat, first introduced earlier this year on the iPhone 4. On Wednesday, Apple released the first beta of its FaceTime for Mac application, which allows Mac users to video chat with other FaceTime users on the Mac, iPhone 4, or fourth-generation iPod touch.
FaceTime for Mac automatically accesses a user's Address Book contacts, so there's no need to create special buddy lists. It also works seamlessly with the built-in camera and mic on Mac notebooks, the iMac desktop, and Apple LED Cinema Displays.
FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available at www.apple.com/mac/facetime.
Update: Apple has not commented on the matter, but numerous users have reported that clicking the "View Account" option in the FaceTime for Mac application no longer works. No update for the software was released to initiate the change.
As noted by Patrick Woods of Macworld Germany, once a computer is set up for FaceTime, the associated iTunes password can be changed without reentering the current password. This would allow anyone with physical access to a user's computer the ability to change their iTunes password, and potentially take control of their account, without knowing the existing password.
This can be accomplished by going into the preferences for the FaceTime application and selecting the iTunes account that was entered when the application was first set up. Users can then choose "View Account," where there are two password fields that can be used to change the account password.
Of course the new password must meet all of the requirements of iTunes, including 8 characters, a number, an uppercase letter and a lowercase letter. But the password could be entered without the knowledge of the account owner, if someone had access to their computer.
Users can choose to log out of their iTunes account by using the "Sign Out" button, but this also does not address the issue, as FaceTime for Mac beta automatically saves the iTunes account's password. A new user could simply click the "sign in" button to access the account and change its password.
FaceTime is Apple's open standard for video chat, first introduced earlier this year on the iPhone 4. On Wednesday, Apple released the first beta of its FaceTime for Mac application, which allows Mac users to video chat with other FaceTime users on the Mac, iPhone 4, or fourth-generation iPod touch.
FaceTime for Mac automatically accesses a user's Address Book contacts, so there's no need to create special buddy lists. It also works seamlessly with the built-in camera and mic on Mac notebooks, the iMac desktop, and Apple LED Cinema Displays.
FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available at www.apple.com/mac/facetime.
Comments
I also not that this security flaw requires physical access to the machine. Not exactly life threatening, but best to be tightened up.
Any idea when we will get a Windows version?
When someone malkes a Windows version? I'm just glad they didn't add it to iTunes to get a shortterm adoption boost.
And this is why public betas are a bad idea. Most end users have no idea about the implications, they simply think they're getting free/early software...
So then who's really at fault here? Apple for releasing a "wanted" public beta, or those who install it without entirely understanding the concept of a "beta"?
I would never go as far as to say public betas are a bad idea, they just need to be carefully thought out and developed before release. I think we can all rest assured that this particular flaw will be fixed very quickly. Think of it this way: Apple overlooked this, the public quickly discovered it and made mention. If Apple spent this much time and never noticed the issue, how much more time would have been wasted before the issue was discovered (had there not been a public beta)?
It's a new feature along with the capability to work in facetime EVEN in a full screen mode, as it was emphasized during the keynote.
You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.
Like what?
What is more important on your PC than your credit card information. Which now can be easily used by a criminal? (Though only in the AppStore, but you would not be happy about the receipt you are going to get, for sure).
You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.
I am not sure ... I know it let's you change the e-mail, associated with FaceTime but I am not convinced it changes your actual iTune's account log in e-mail. I will have to re check. If it does I bet it is fixed asap.
FT works like a charm on our Macs BTW, I love it..
Apparently the beta doesn't check that the password is a minimum of eight characters either (despite the warning)...my wife set her FaceTime account up with less.
Send feed back to Apple on that one!
Mine annoyingly offers my old .mac e-mail at log in not my .me. I know they are interchangeable but I'd love to move on already!
Edit: it works...
A simple fix from Apple of requiring the input of the current password to change it is all that's required. Hardly earth shattering. This is a very simple fix and the kind of thing that crops up in a public Beta.
Should Apple have seen this before it went public? Probably. But like others have said, if a nefarious person already has access to your open user account, they most likely have more on their mind that changing your iTunes password.
Small problem, easy fix, no real security threat. I trust Apple will address this.
So then who's really at fault here? Apple for releasing a "wanted" public beta, or those who install it without entirely understanding the concept of a "beta"?
I would never go as far as to say public betas are a bad idea, they just need to be carefully thought out and developed before release. I think we can all rest assured that this particular flaw will be fixed very quickly. Think of it this way: Apple overlooked this, the public quickly discovered it and made mention. If Apple spent this much time and never noticed the issue, how much more time would have been wasted before the issue was discovered (had there not been a public beta)?
Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.
And then when we put in her AppleID/pw, it could never authenticate.
I'm de-installing until this is worked out.
Looking forward to it working properly tho'... it's slick.
Send feed back to Apple on that one!
Mine annoyingly offers my old .mac e-mail at log in not my .me. I know they are interchangeable but I'd love to move on already!
Check your personal entry in the address book app - this is where the info is coming from...
Any idea when we will get a Windows version?
When someone malkes a Windows version? I'm just glad they didn't add it to iTunes to get a shortterm adoption boost.
They want iPhone and iPod touch users to strongly consider getting a Mac.
Apple are at fault for releasing software to the general public rather than to it's developer community. No one "wanted" a public beta, people want stable, gold master software as soon as possible. Public betas are a bad idea, most people will simply grumble when there is an issue rather than (or being able to) give a full error report to Apple - it serves no purpose except for bad press from people who simply don't understand what "beta" software is.
Most people won't care. The average user is much more average than we think... When it comes to "non-tech" people nowadays...
Anyways, hope Apple fixes it soon... Downloading it now...
Like what?
What is more important on your PC than your credit card information. Which now can be easily used by a criminal? (Though only in the AppStore, but you would not be happy about the receipt you are going to get, for sure).
Just a few off the top of my head...
1) Save any passwords in your browser or keep a file laying around with all your passwords to various sites and banks?
2) Save any form information in your browser?
3) Use Quicken or something like it to manage your finances?
4) they can install a keylogger to get all your information in the future
5) they can change your password so you can no longer access your computer
6) they can wipe your hard disk
7) ....
this can go on forever. If someone gets physical access to your computer and has a malicious intent, you are screwed.
I still have not tried FaceTime, but the question I have is that I have just one email addy and one AppleID. How can I use my iPod Touch to call my Home Computer to chat with the wife/kids? I mean, can you call yourself?
I believe you will just have to open up a Yahoo, Hotmail or whatever email account from the home computer and use that for your other address to register and verify with Apple. I did this last night so that I wouldn't have to use my main Apple ID as my public FaceTime address, and it worked fine. So it seems you can set more than one address for the home computer under Preferences in FaceTime. I wonder if you can do the same with the touch or the iPhone.