The brouhaha over a recent hacker's assault on Apple's walled garden reveals that the classics still rule. Using a "man in the middle" vulnerability in the DNS, the Russian computer jockey spoofed Apple's commerce server, and intercepted in-application purchases.
The iPhone/iPad applications would send payment data through an encrypted SSL channel, but due to a sloppy implementation of public key infrastructure, said apps would trust *any* server with the appropriate reverse lookup host name. The point of the use of certificates is a handshake verification.
The Russian's methods are crude, but in the end, it's the vulnerability of the DNS infrastructure that enables this to work. That, and Apple not using certificates from its commerce server properly. How is a man-in-the-middle attack possible if the PKI certificate from the commerce server is validated by the client (phone/iPad)? As for "clear text", the uid and pw traverse the Internet via an SSL connection; it's that connection that has been compromised.
Read more on ZDNet...
- Posted by Tom/Bluedog
No comments:
Post a Comment