| SAN FRANCISCO
SAN FRANCISCO Feb 21 A major flaw in Apple Inc
software for mobile devices could allow hackers to
intercept email and other communications that are meant to be
encrypted, the company said in a Friday afternoon announcement.
If attackers have access to a user's network, such as by
sharing the same unsecured wireless service offered by a
restaurant, they could see or alter exchanges between the user
and protected sites such as Gmail and Facebook, experts said.
"It's as bad as you could imagine, that's all I can say,"
said Johns Hopkins University cryptography professor Matthew
Apple did not say when or how it learned about the flaw in
the way iOS handles sessions in what are known as secure sockets
layer or transport layer security, nor did it say whether the
flaw was being exploited.
But a statement on its support website was blunt: The
software "failed to validate the authenticity of the
Apple released software patches and an update for the
current version of iOS for iPhone 4 and later, 5th-generation
iPod touches, and iPad 2 and later.
Without the fix, a hacker could impersonate a protected site
and sit in the middle as email or financial data goes between
the user and the real site, Green said.
Apple did not reply to requests for comment. The flaw
appears to be in the way that well-understood protocols were
implemented, an embarrassing lapse for a company of Apple's
stature and technical prowess.
The company was recently stung by leaked intelligence
documents claiming that authorities had 100 percent success rate
in breaking into iPhones.
Friday's announcement suggests that enterprising hackers
could have had great success as well if they knew of the flaw.