Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw

“Less than a day’s work was all it took for one New Zealand security consultant to develop a proof of concept for the actively open OS X exploit revealed at the weekend, and known as ‘goto fail,'” Chris Duckett reports for ZDNet. “Aldo Cortesi, CEO and founder of security consultancy firm Nullcube, said in a blogpost today that he had modified his existing mitmproxy code to take advantage of the open hole in OS X Mavericks.”

“‘I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks,’ Cortesi wrote. ‘Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured,'” Duckett reports. “Cortesi said that iCloud data, including KeyChain enrollment and updates, data from Calendar application, and traffic from apps that use certificate pining, such as Twitter. ‘It’s difficult to over-state the seriousness of this issue,’ he wrote. ‘With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic.'”

Duckett reports, “Speaking to ZDNet, Cortesi said… ‘I think there’s a quite a good chance that I wasn’t the first, so it’s safest to assume that this is being actively exploited in the wild. Of course, it’s also likely that intelligence agencies have been onto this issue for some time.'”

Read more in the full article here.

MacDailyNews Take: Tick, tock, tick, tock…

Related articles:
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014


  1. I called Apple TS and the tech knew nothing of it. I told him to read MDN that it’s all over the media. “I didn’t know!” Was the response. He put me on hold and can back a while later and referred me to Apple’s security website.

    1. Your probably that same idiot that goes into the stores and demands a fix, and says “it’s all over the internet”. Relax, I’m sure all the people that are much more intelligent have it under control.

    1. This isn’t actually an open Wi-Fi problem. It’s specific to situations where Mac users use SSL connections between their computers and their destination website. This can happen via either open or encrypted router connections. It’s what’s happening AFTER the router on the way to the website that’s the danger area.

      1. Thanks You DC, the truth is that ANY Mac on any connection that uses SSL is wide open to attacks and not just through the browser. Any Mac app or feature in OS X that hooks into the internet is susceptible. That would include Mail, FaceTime, iTunes, iCloud and all other kinds of stuff.

        The fact is that Apple fixed the IOS and left Mac users twisting in the wind.

        In the short term the best idea would be to do secure communications via iOS devices (patched). The Chromium browser is a good standby browser until Safari is fixed.

        This is some bone headed shit by Apple. Even Internet Explorer is immune to this kind of hack. Jony Ive was more interested in fu-fu flat graphics and pastels instead of what was under the hood.

        1. Thankfully, as MDN reported this afternoon, Apple has swiftly fixed the OS X SSL flaw by releasing the 10.9.2 update.

          Yes, sad to say, there IS some ‘bone headed shit’ going on at Apple. Theoretically, this entire problem would not have occurred if Apple had stuck to modern coding standards and NEVER used GOTO commands.

          (I have my fire extinguisher at the ready!)

          The total time of ‘twisting in the wind’, however, was a total of about two weeks after the first exploits of the SSL flaw were discovered and reported by Dan Goodin at ArsTechnica. That’s NOT all that bad a response time.

          Consider the fact that Oracle was discovered to have sat on over 50 known security holes in Java for OVER SIX MONTHS. (I hate you Oracle!)

        2. Let’s be accurate. It is not “any Mac”. It’s any Mac using OSX.9 Mavericks. All earlier versions of OSX were unaffected by the glitchy programming change. If you had not updated to Mavericks, you were safe.

    1. You’re embarrassed because Apple hasn’t fixed this shit?

      Suck it up fanboi and stop making excuses for Apple and maybe the Android trolls will stop picking on you.

      Jobs said details matter, and someone overlooked a ball buster. My sense is, there is an internal investigation for cause and that Apple has already involved the FBI to determine the scope of the damage and to gather intelligence, before releasing a fix.

      Serve No Shit Before Its Time.

      Otherwise we’ll have to listen to this troll bleating about broken shit. Maroon.

      1. Apparently we have at least 14 fanbois who also have red faces. Is this anything like that pseudo Polio spreading in California?

        Honestly, why would any of you be embarrassed for Apple? Do you think they care about your feelings? Your pride?


        So Apple shot themselves in the foot. Are they suddenly incompetent? Is this Tim Cook’s fault? Who knows, but it’s quite telling to read some people’s opinions.

  2. Wow, still no one is affected, and I doubt anyone could easily sit somewhere and install and run nitmproxy to do anything, and the traffic is still encrypted.. but its the end of the world as we know it. If Apple thought it was going to have a serious impact on OSX, it would have already been patched, they are not ignorant ,

    1. If Apple thought it was going to have a serious impact on OSX, it would have already been patched, they are not ignorant ,

      I agree. Apple will have this fixed before anyone can develop a means to siphon off any data; way too many variables for a hacker to deal with before he takes it public.

      This could be easily exploited in a workplace environment of networked Macs and even then we’d be witness to Darwinism; the weak using work computers for personal business, online banking, et. al., when they’re explicitly told not to.

      You know, like half the people on these boards who peek out of their cubicles every so often to see if anyone is checking up on them?

      1. Though many security experts would love to have a system where a patch is magically installed in all susceptible hardware the moment it is released, the reality is the patch will never be installed w/o the user taking the action to install it. As such the lag time between the patch release and application will be the window in which data may be compromised.

  3. Tim Cook and the top hats are consulting with their legal team to see how they can dodge away from our embarrassed shit bags… Come on Apple management, you can do better than staying silence.

  4. Yeah, MDN *cough* Steve Jack *cough* knows exactly what this issue involves and how to patch it. And Apple doesn’t.

    I’m trusting Apple is doing everything necessary to fix the problem, despite how this appears to some people.

  5. I’ve been changing my point of view through out this whole ordeal. At first (just like everyone else), I believed that all that was needed as a simple delete of the second “goto fail” line. However upon further thought and after others pointed it out, its clear that the second “goto fail” was indeed used as if the first two “if” statements were false it would always hit the “goto fail” without ever even attempting the third “if” statement. So maybe deletion of the second “goto fail” would cause a problem that Apple would have to change other code. At this point in time though, Apple should have a fix. They seemed to fix iOS 6,7 right away but those are different then Mac OS X however Mac OS 10.6-8 are unaffected so I don’t see why Apple can’t base the code off of those. As well Apple has a huge workforce at their disposal, so they better have more than 1 or 2 programmers working on this…

  6. NSA. Leave no fingerprints. iOS 6 was released in September 2012. The NSA leaked documents claim to have been able to intercept Apple communications as of October 2012. All due to a double line of code. There is some suggestion that an NSA plant inserted the extra line of code or, at a minimum, advised NSA of it and NSA then took advantage. Possibly the same scenario with Mavericks. 1984 is here, and we are being watched, listened to, and generally surveilled.

    1. I wouldn’t count on Apple’s SSL flaw being present in ALL versions of iOS 6. At this point, we only know that it was present in the second-to-last version of iOS 6. The flaw is in a single framework file that could easily have been swapped into only a recent version of iOS via an update. Therefore, this flaw may be less than a year old.

      But yes, 1984 is here, thanks to #MyStupidGovernment. The NSA’s activity is obviously an unconstitutional revocation of privacy. I’d dearly like to see everyone involved with mass surveillance of US citizens on US soil impeached and prosecuted. That includes you, Mr. Obama; Oh and you Mr. G.W. Bush. 👿

      1. Im ways the picture in “1984” was better than reality. We seem the still shine, glow and be happy. In 1984 everybody is lifeless and dull. We are, or at least should be, fully aware that we are taken to the slaughterhouse and we seem to be very merry about it.

        There is no evil in the actions of our western government, just plain stupidity mixed with ignorance and a dash of greed. We are our own murderers, our own prison guards and the root to our very problem. If only there were no people, we would be so much better of. Uh, no that would not work now, would it……

        1. “People Are A Problem”.

          We humans are incredibly creative. Sadly, one of the ramifications is that we are capable of believing almost anything to be absolutely true, then act on it. This is, IMHO, our worst enemy, that being an aspect of ourselves.

          The solution for me has been to keep learning and opening my mind to new positive aspects of living. By positive I usually mean ‘responsible’, as in responsible for the choices I make.

  7. Regarding the NSA’s treasonous surveillance of US citizens on US soil: This security flaw is very recent. It wasn’t in OS X 10.8. It’s only in 10.9. It was also only in iOS 7 and the next-to-last version of iOS 6 and Apple TV 6. Therefore, if the NSA was screwing us over with this flaw, it was only very recently.

    I’ve written up an article about what we reliably know at this time about Apple’s SSL flaw, as well as the affected applications:

    We know Apple has an internal beta of the fix. I expect the fix will go public beta this week, or we may get the update itself by Friday. We shall see.

  8. And the real kicker is the control freaks won’t let iOS 6 users who don’t want iOS 7 get the fix. This is one good reason Apple should let their guard down and let us install iOS 6.1.6 on iPhone 4 & 5!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.