Apple Fixes Password-Related Bugs in iOS and Mac OS
Apple is usually reliable for security and privacy, but every once in a while, things slip by. Two serious, and separate, vulnerabilities in iOS and Mac OS were discovered that can give away passwords. Apple has patched both security holes.
An iOS vulnerability was discovered by Davut Hari, a patent attorney from Turkey. It’s just a silly mistake. Saved passwords are not shown in plain text and are hidden by just showing ****. That’s one line of defense. Apple is also good at the accessibility feature, so if you select the password, accessibility is enabled, and you click the “Voice” option, the iOS device reads the password. Anyone in earshot can hear the password.
Apple released an update on December 12 and admitted that a “nearby user may be able to overhear spoken passwords.” The update disabled speaking of passwords.
A security hole in Mac OS allows attackers to plug in a Thunderbolt device in any Mac OS device and siphon passwords even if the device is locked.
Security researcher, Ulf Frisk, who found the vulnerability, wrote on his blog, “Mac OS FileVault2 let attackers with physical access retrieve the password in clear text by plugging a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it.”
Apple patched the hole with Mac OS Sierra 10.12.2 update. If you are one of those users who ignores updates on your system, please change that habit and start installing updates as soon as they are available.