Linked by Thom Holwerda on Tue 28th Jun 2011 22:16 UTC
Apple With all the news about Anonymous, LulzSec, Anti-Sec, and so on, you'd almost forget there are more ethical hacking groups out there as well. One such group, YGN Ethical Hacker Group, informed Apple of several weaknesses in its developers website on April 25. Apple acknowledged the flaws, but so far, hasn't done anything about them. YGN Ethical Hacker Group has now stated they will fully disclose the vulnerabilities if Apple doesn't fix them in the coming few days.
Thread beginning with comment 479185
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: What is gained?
by Bill Shooter of Bul on Wed 29th Jun 2011 23:51 UTC in reply to "What is gained?"
Bill Shooter of Bul
Member since:

I'm afraid I don't think I understand what you are talking about. Its not quite clear.

I think you are questioning if an arbitrary redirect is a real vulnerability. Is that right?

Well, take a look at this and see if it changes your mind:

Its true that not every vulnerability will or even can lead to an exploit, but its a better idea to just fix the potential problems than waiting for someone to successfully be scammed. But make no mistake this is a vulnerability that can and will be exploited if it is not fixed.

Edited 2011-06-29 23:53 UTC

Reply Parent Score: 2

So what happens when it get's patched
by kaelodest on Thu 30th Jun 2011 00:24 in reply to "RE: What is gained?"
kaelodest Member since:

thanks for the insight, however I will still arrive at the original position. If one Tricked a user into a malware install then that is cute but it is not an exploit. An unpatched Mac will not go 'zombie' on it's own. An unpatched Linux install will not go rogue - BOTH will expect admin access. Servers *could-possibly* be set to auto update and reboot but that is NOT the default Linux install. AND that is what SACLs and Service accounts are for. Meanwhile Windows still does the same old same old (Security as a Rogue Process) and promises us that this time it will be different.
No. All OS's vulnerabilities are eploitable or even well documented, but only one vendor/(Kernel+HAL) has so many holes. Sure it will all be fixed in the next version of windows but I cannot escape the feeling that calling out the Mac OS or ANY other OS for security every July is exactly Linkbait.
(•_~)I am once again speaking about a properly configured unit. I would never run a Windows box on the web in the default settings as the Admin account. YES that is how the Mac OS Ships but if that is the case then where are the worms and root-kits. My position is that the proof is in the pudding.
-=-If I run a non-admin client for 24 hours clean and it is 'safe' 89.1% in *nix and 100% infected at the end of the day in Dot-Net or Active-X then that IS no reason to call out the MacOS as being exploitable with no "Out of Lab Exploits" - You know like a Mac with no browser open going zombie on a non admin box, Prove it.

Reply Parent Score: 1

Bill Shooter of Bul Member since:

Dude, bad things can still happen with just a redirect: Phishing. Tricking people into giving them login credentials to sites that contain their financial information.

Let me be more explicit in the example:

1) You click a link that is clearly going to Which you think is safe and will have apple related information.

2) The link contained a redirect url hidden at the end, you are instead redirected to a bad site run by bad people who don't like you or your dog FlufflyCakes.

3) The site looks like Apple's uh oh it warns you that your credit card info needs to be updated for your app store/itunes account.

4) You enter in your credit card.

5) Bad people use your creidt card. You later get a decline when trying to buy life saving medicine for fluffycakes. He dies.

The hackers killed your dog, man. Its got nothing to do with your os, just your browser and your lack of fully checking each and every URL and foolish faith in Apple's security reputation*.

*Note: Even if it is apple's site, don't give them your ccnumber. They also hate fluffycakes.

Reply Parent Score: 3