Security consultant Aldo Cortesi mentioned in a blog post that it had taken him less than a day to exploit a bug in OS X to capture all SSL traffic, meaning there is a fairly strong chance he isn’t the only one to have done so.
I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:
- App store and software update traffic
- iCloud data, including KeyChain enrollment and updates
- Data from the Calendar and Reminders
- Find My Mac updates
- Traffic for applications that use certificate pinning, like Twitter …
Cortesi mentioned that he modified an existing man-in-the-middle proxy, mitmproxy, in order to exploit the bug. He then proceeded to tweet a series of screenshots showing captured SSL data, including data from iCloud keychain and a software update. Spooky stuff.
It’s difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view and modify nearly all sensitive traffic. This extends to the software update mechanism itself, which uses HTTPS for deployment.