One of the big announcements from the Apple media event yesterday is that the new Mac OS X Lion includes FaceTime video chat. That means that Macs and MacBooks can now join the army of iPhones and iPod Touch devices to engage in face to face conversations. Unfortunately, FaceTime for Mac also includes a massive security hole.
Although video chat and video conferencing have been around for years, the actual functionality has been underwhelming--if not outright frustrating. But, the hardware and software behind video chat are finally catching up to the potential. Because Apple developed FaceTime as an open standard, it could be instrumental in unifying video chat across various platforms--but not if it also opens users up to compromise and exploit.
A German Web site, MacNotes, found "With a few clicks others can make use of the user's Apple ID and reset the password with ease."
MacNotes goes on to explain, "Once you've logged into FaceTime you can have a look at all the account settings of the used Apple ID. Username, ID, place and birth date are shown as well as the security question and the answer to it - in plain text, without another password request. To reset the password to an Apple ID, all you need it the exact birth date and the answer to the security question - we tried that out for you, and it worked fine."
This is a serious issue. Any person that has physical access to a Mac set up with FaceTime can conceivably view sensitive information in plain text, change the assigned password without even knowing what the current password is, and access or compromise the Apple ID and iTunes account.
Another issue uncovered by MacNotes is, "When you choose "Log Out" from the top menu, the password remains in the password field, even when restarting the application. That shouldn't be the case though: Applications should remove passwords from the password field as soon as the application is closed."
Mac users should avoid using FaceTime until Apple resolves these security concerns. Users that want to risk using FaceTime anyway should take extra precautions to ensure that no unauthorized users can access the system.