Holy smokes. So having looked at the actual code for this, the bug in iOS / OSX is way worse than described on gizmodo. The article is misleading when it says your home network is safe, it’s not. If I poison your DNS queries, compromise your home router (they’re very exploitable), have privileged access to the network infrastructure between you and what you’re connecting to, or all manner of other things, then I own your connection, and whatever data you send across it; credit card details, bank account logins, facebook passwords, all of it. If I hijack anything that’s doing a software update, then I may potentially own your device.

In fact, if you’re already logged into a website, I may even be able to steal your cookies and act as you without you even needing to enter a username and password at all. Seriously, this exploit really is about as bad as it gets.

Two-factor auth will mitigate some, but not all of the damage here. The only way to close this hole is to upgrade your vulnerable apple devices now. Please do this. Seriously.

Edit: What am I saying? Two factor auth isn’t going to help you one damn bit. If you’ve just typed in your account number and password to your bank, of course you’re going to supply me with your one-time password as well, because you think it’s your bank asking for it, and your browser isn’t going to tell you otherwise. You’re going to supply it even if the bank texts it to your phone; in fact, that just makes the whole thing feel more legitimate. So please, really, really upgrade. Right now.

• Gizmodo article.
• Code with discussion

CVE-2014-1266