One of the big announcements from the Apple media event yesterday was the release of FaceTime video chat for the Mac. That means that Macs can now join the army of iPhones and iPod Touch devices to engage in face to face conversations. Unfortunately, FaceTime for Mac apparently includes a massive security hole.
A German website, MacNotes, found “With a few clicks others can make use of the user’s Apple ID and reset the password with ease.”
MacNotes goes on to explain, “Once you’ve logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it – in plain text, without another password request. To reset the password to an Apple ID, all you need it the exact birth date and the answer to the security question – we tried that out for you, and it worked fine.”
This is a serious issue. Any person that has physical access to a Mac set up with FaceTime can conceivably view sensitive information in plain text, change the assigned password without even knowing what the current password is, and access or compromise the Apple ID and iTunes account.
Another issue uncovered by MacNotes is, “When you choose “Log Out” from the top menu, the password remains in the password field, even when restarting the application. That shouldn’t be the case though: Applications should remove passwords from the password field as soon as the application is closed.”
Anyone using FaceTime on a Mac should take precautions to ensure that no unauthorised users can access the system until Apple resolves the security concerns.