Proof of concept captures all SSL traffic via Apple's goto fail exploit

A New Zealand security consultant has used a man-in-the-middle proxy to mop up all SSL traffic related to the App Store, updates, iCloud data, and traffic from apps that use certificate pining, such as Twitter.
Written by Chris Duckett, Contributor

Less than a day's work was all it took for one New Zealand security consultant to develop a proof of concept for the actively open OS X exploit revealed over the weekend, and known as "goto fail".

Aldo Cortesi, CEO and founder of security consultancy firm Nullcube, said in a blogpost today that he had modified his existing mitmproxy code to take advantage of the open hole in OS X Mavericks.

"I've confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks," Cortesi wrote.

"Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured."

Cortesi said that it collects iCloud data, including KeyChain enrolment and updates, data from the Calendar application, and traffic from apps that use certificate pining, such as Twitter.

"It's difficult to overstate the seriousness of this issue," he wrote. "With a tool like mitmproxy in the right position, an attacker can intercept, view, and modify nearly all sensitive traffic."

Speaking to ZDNet, Cortesi said that although putting together the exploit from public information available is not trivial, it took him less than a day to do so.

"This is a critical issue that could be very valuable in the wrong hands, so I'm sure that others are working on it as we speak."

"I think there's quite a good chance that I wasn't the first, so it's safest to assume that this is being actively exploited in the wild. Of course, it's also likely that intelligence agencies have been onto this issue for some time."

At the time of writing, Apple had still not deployed an update for the patch for its desktop operating system, despite patching its mobile OS over the weekend.

"At the very least, the iOS and OSX updates should have been released simultaneously," Cortesi said. "Of course, we have no indication of how long Apple has known about this issue internally."

Throughout the day, Cortesi posted screenshots purporting to show his capturing of software update traffic, and intercepting iCloud keychain traffic.

"What should be exercising Apple right now: How do you roll out a patch when your software update mechanism can be transparently subverted?" he wrote.

The security consultant says that he will not be releasing his proof of concept until well after Apple has deployed its patch for OS X.

"This cracks open a range of avenues for further research, and I'm hard at work exploring these," he said.

Editorial standards