Apple software security flaw: Why you should update your iPhone right now

Updated: 

South Korea Samsung Apple

Attention, Apple users: hackers could be monitoring your every keystroke, security experts are warning.

According to researchers at FireEye, the iOS 7 and OS X operating systems, used by iPhones, iPads and Apple computers, contain a serious flaw that could allow criminals to spy on users. In theory, it would be possible to capture everything the user types - up to and including banking passwords.


The FireEye team has discovered that the digital security certificates used to authorise a connection between Apple's Safari browser and external websites haven't been being checked properly. This means it's possible for hackers to impersonate a legitimate website and intercept data as it's sent in what's known as a 'man-in-the-middle' attack.

The researchers used the vulnerability to develop their own key-logging application to show how easily it could be done.

"This 'monitoring' app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server," the researchers write.

"Potential attackers can use such information to reconstruct every character the victim inputs."

There's no indication that the flaw has been exploited by real hackers - yet. However, fraudulent digital security certificates have successfully been used in the past to steal information, most notably by the creators of Stuxnet - one of the most notorious viruses ever released.

It appears that this latest loophole was created as long as eighteen months ago, with the accidental duplication of a single line of code in Apple's checking procedure.

"That duplicate line of code messes up the code's execution, meaning that a critical authentication check doesn't occur," explains security expert Graham Clueley. "A computer programmer's fumble at the keyboard has put the privacy of millions of iPhone and iPad users at risk. Whoever made that mistake must be feeling pretty bad right now."

According to Apple, the problem can be fixed for iOS 7 users by downloading a new update, iOS 7.0.6 - available now by clicking Settings / General / Software Update.

However, laptop and desktop users running OS X are also vulnerable, and there's no official fix yet available. Apple's promising a fix 'very soon'; and, in the meantime, there is a patch available from i0n1c, here, though it should be stressed that this has no official endorsement. OS X users can check whether their machine is affected by visiting gotofail.com in Safari.

Jobs done: Apple's finest creations

Jobs done: Apple's finest creations