OMEN
10-21-2010, 05:51 PM
Apple's newly released FaceTime for Mac beta allows users to change their iTunes password without reentering their existing password, causing a potential security issue.
As noted by Patrick Woods of Macworld Germany, once a computer is set up for FaceTime, the associated iTunes password can be changed without reentering the current password. This would allow anyone with physical access to a user's computer the ability to change their iTunes password, and potentially take control of their account, without knowing the existing password.
This can be accomplished by going into the preferences for the FaceTime application and selecting the iTunes account that was entered when the application was first set up. Users can then choose "View Account," where there are two password fields that can be used to change the account password.
Of course the new password must meet all of the requirements of iTunes, including 8 characters, a number, an uppercase letter and a lowercase letter. But the password could be entered without the knowledge of the account owner, if someone had access to their computer.
Users can choose to log out of their iTunes account by using the "Sign Out" button, but this also does not address the issue, as FaceTime for Mac beta automatically saves the iTunes account's password. A new user could simply click the "sign in" button to access the account and change its password.
http://imagevader.com/out.php?i=188441_facetime-101021.jpg
FaceTime is Apple's open standard for video chat, first introduced earlier this year on the iPhone 4. On Wednesday, Apple released the first beta of its FaceTime for Mac application, which allows Mac users to video chat with other FaceTime users on the Mac, iPhone 4, or fourth-generation iPod touch.
FaceTime for Mac automatically accesses a user's Address Book contacts, so there's no need to create special buddy lists. It also works seamlessly with the built-in camera and mic on Mac notebooks, the iMac desktop, and Apple LED Cinema Displays.
FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available at www.apple.com/mac/facetime.
Apple Insider
As noted by Patrick Woods of Macworld Germany, once a computer is set up for FaceTime, the associated iTunes password can be changed without reentering the current password. This would allow anyone with physical access to a user's computer the ability to change their iTunes password, and potentially take control of their account, without knowing the existing password.
This can be accomplished by going into the preferences for the FaceTime application and selecting the iTunes account that was entered when the application was first set up. Users can then choose "View Account," where there are two password fields that can be used to change the account password.
Of course the new password must meet all of the requirements of iTunes, including 8 characters, a number, an uppercase letter and a lowercase letter. But the password could be entered without the knowledge of the account owner, if someone had access to their computer.
Users can choose to log out of their iTunes account by using the "Sign Out" button, but this also does not address the issue, as FaceTime for Mac beta automatically saves the iTunes account's password. A new user could simply click the "sign in" button to access the account and change its password.
http://imagevader.com/out.php?i=188441_facetime-101021.jpg
FaceTime is Apple's open standard for video chat, first introduced earlier this year on the iPhone 4. On Wednesday, Apple released the first beta of its FaceTime for Mac application, which allows Mac users to video chat with other FaceTime users on the Mac, iPhone 4, or fourth-generation iPod touch.
FaceTime for Mac automatically accesses a user's Address Book contacts, so there's no need to create special buddy lists. It also works seamlessly with the built-in camera and mic on Mac notebooks, the iMac desktop, and Apple LED Cinema Displays.
FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available at www.apple.com/mac/facetime.
Apple Insider