[SC-L] Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com

2009-03-12 Thread Kenneth Van Wyk 

Hello SC-Lers,

I saw this blog and thought it may be of interest here:

http://blogs.zdnet.com/security/?p=2861

According to the blog, there's a design issue (read: flaw) in iTunes  
that can allow a maliciously formed podcast to cause a user to get  
prompted for a username/password -- to iTunes itself.  That dialog box  
can then be hijacked and the victim's credentials stolen.


What made it interesting to me was a couple things: first, the cited  
advisory from Apple (http://support.apple.com/kb/HT3487) clearly says  
it's a design issue.  Tells me we're not likely to see a real fix for  
a while, IMHO.  Indeed, Apple's initial fix to this design issue is,  
This update addresses the issue by clarifying the origin of the  
authentication request in the dialog.  That doesn't sound like much  
of a fix at all, and I'd expect a lot of users will still fall for the  
dialog box ruse.  Sigh...


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Rigged podcasts can leak your iTunes username/password |Zero Day | ZDNet.com

2009-03-12 Thread Jim Manico 
On the topics of Podcast, I'm very pleased to announce the release of the 
non-rigged live release of OWASP Podcast #12, an Interview with Ryan C. 
Barnet.

Ryan Barnett talks about the OWASP ModSecurity core ruleset project and WAF 
technology in general. Ryan has such incredible experience in this space - I 
was really impressed with his dept - as well as his use of Football as 
metaphor! =)

To listen to OWASP Podcast #11 you can, download the mp3 file directly , 
subscribe to the RSS feed or subscribe directly through iTunes!

Aloha from OWASP Podcast HQ,
Jim 

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___