Apple quietly released a major update Friday to fix a security glitch in its iOS 7 systems. But independent security experts say the seemingly routine update covers up what arguably could be Apple’s biggest security lapse, exposing iPhone, iPad and iPod Touch users to hackers.
The issue is an extra line of “goto” code that bypasses the iOS system’s authentication process, allowing a third party to intercept emails and Internet traffic. That means a hacker can pose as a friendly, trusted source, such as your email provider, and eavesdrop on users’ encrypted Internet traffic and potentially take full control of the system.
Cybersecurity researchers say the bug only affects Apple’s Safari Web browser and that Chrome and Firefox were not affected. Switching from Safari to another browser could help protect some users, Forbes reported. Mac’s operating system, OS X, is also at risk for the security, according to CrowdStrike, a security tech firm that says it was able to recreate the glitch. But Apple hasn’t yet released a fix for MacBooks and iMacs.
Apple has been relatively sparse on the details of the security flaw. When the update was released for mobile devices, Apple’s description only says the iOS 7 “update provides a fix for SSL connection verification.” The SSL ,or secure sockets layer, is what keeps user data exchanged between the Internet browser and websites private.
Apple was slightly more specific on its security support page saying that “an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” The announcement stopped short of fully explaining the security lapse, citing that company policy prevents full disclosure of security problems pending an internal investigation.
There’s speculation that the bug was instead a backdoor to aid government agencies such as the U.S. National Security Agency that is now being closed off, according to Forbes. Other reports say that the use of “goto” code in any way is just bad programming because of its security issues and that Apple’s bug is just a mistake.