It all started with an error in code, just like so many other vulnerabilities. The SSL/TLS vulnerability we are talking about is serious. The Verge has even gone so far to say that this flaw has existed since 18 months and it might be used by the NSA to gain access to Apple devices.
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.
In layman’s terms it means that the data sent and received with Safari, Apple apps and any third party app that uses Apple’s own SSL system on iOS and Mac is not encrypted and secure.
What Exactly Went Wrong?
SSL (Secure Sockets Layer) and TSL (Transport Layer Security) are a set of technologies that establish a secure and encrypted connection between your computer and the server. The error in code made the signature verification part of this process to fail.
Which means that the system can check if the security certificate is secure or not but it cannot check who signed the certificate. And that means a forged signature request can go through the system without any problems.
The SSL bug makes it easy for hackers to gain access to sensitive information like usernames, passwords, and credit card info when using apps that use Apple’s SSL system for encryption.
The bug affects iOS devices between iOS 6 to iOS 7.0.5, Apple TV and OS X Mavericks. Apple has pushed the following updates for its users.
Updates for iOS
iOS 7.0.6 update for iOS 7 users.
iOS 6.1.6 update for iOS 6 users.
iOS 6.0.2 update for Apple TV owners.
Update for Mac
OS X 10.9.2 update for Mavericks.
If you are not up-to-date on any of these version, you need to hit that update button fast. What if my device is jailbroken you ask? We have a solution for you as well.
Solution For Jailbreakers
If your iPhone or iPad is jailbroken, you are in luck. You don’t need to update iOS to patch this vulnerability. Installing a tweak by Ryan Petrich from Cydia will do the trick. Here’s how you can do that.
Step 1: Go into Manage, tap Edit and then Add.
Step 2: In the text field add this URL – http://rpetri.ch/repo and tap Add Source
Step 3: You are now subscribed to Ryan’s repo. Go back to Cydia, click Search and search for SSLPatch.
Step 4: Now click Install and then choose Confirm. The patch will be installed. Click on Reboot Device when prompted.
To make sure the tweak was installed and works properly, go to gotofail.com and it should say “Safe”.