Sam Oliver
Update: Apple has not commented on the matter, but numerous users have reported that clicking the "View Account" option in the FaceTime for Mac application no longer works. No update for the software was released to initiate the change.
As noted by Patrick Woods of Macworld Germany, once a computer is set up for FaceTime, the associated iTunes password can be changed without reentering the current password. This would allow anyone with physical access to a user's computer the ability to change their iTunes password, and potentially take control of their account, without knowing the existing password.
This can be accomplished by going into the preferences for the FaceTime application and selecting the iTunes account that was entered when the application was first set up. Users can then choose "View Account," where there are two password fields that can be used to change the account password.
Of course the new password must meet all of the requirements of iTunes, including 8 characters, a number, an uppercase letter and a lowercase letter. But the password could be entered without the knowledge of the account owner, if someone had access to their computer.
Users can choose to log out of their iTunes account by using the "Sign Out" button, but this also does not address the issue, as FaceTime for Mac beta automatically saves the iTunes account's password. A new user could simply click the "sign in" button to access the account and change its password.
FaceTime is Apple's open standard for video chat, first introduced earlier this year on the iPhone 4. On Wednesday, Apple released the first beta of its FaceTime for Mac application, which allows Mac users to video chat with other FaceTime users on the Mac, iPhone 4, or fourth-generation iPod touch.
FaceTime for Mac automatically accesses a user's Address Book contacts, so there's no need to create special buddy lists. It also works seamlessly with the built-in camera and mic on Mac notebooks, the iMac desktop, and Apple LED Cinema Displays.
FaceTime requires Mac OS X 10.6 Snow Leopard and can be set up using an Apple ID. The public beta is available at www.apple.com/mac/facetime.
-m.jpg)
Andrew O'Hara
Malcolm Owen
William Gallagher
Andrew Orr
38 Comments
And this is why public betas are a bad idea. Most end users have no idea about the implications, they simply think they're getting free/early software.
I also not that this security flaw requires physical access to the machine. Not exactly life threatening, but best to be tightened up.
Any idea when we will get a Windows version?
Any idea when we will get a Windows version?
When someone malkes a Windows version? I'm just glad they didn't add it to iTunes to get a shortterm adoption boost.
You call this a security problem? If a bad person has physical access to the logged-in account on your computer, you've probably got a lot more to worry about than your Apple ID.
And this is why public betas are a bad idea. Most end users have no idea about the implications, they simply think they're getting free/early software...
So then who's really at fault here? Apple for releasing a "wanted" public beta, or those who install it without entirely understanding the concept of a "beta"? I agree Apple should not have overlooked something so basic before releasing a public beta but these types of releases help to collect vital information that not only benefits Apple in their development but the end user as well; should such products reach the retail status or even for the sake of releasing a final version much quicker.
I would never go as far as to say public betas are a bad idea, they just need to be carefully thought out and developed before release. I think we can all rest assured that this particular flaw will be fixed very quickly. Think of it this way: Apple overlooked this, the public quickly discovered it and made mention. If Apple spent this much time and never noticed the issue, how much more time would have been wasted before the issue was discovered (had there not been a public beta)? Not to mention what could have happened had this issue carried over into the final release or as a preloaded feature on all new Macs.