Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


+ - How Apple's Address Book app could allow the NSA to harvest your contacts->

Submitted by quantr
quantr (1722336) writes "Overlooked in last week's revelation that the National Security Agency is harvesting hundreds of millions of e-mail address books around the world was this surprising factoid: Apple makes this mass collection easier because the Address Book app that by default manages Mac contacts doesn't use HTTPS encryption when syncing with Gmail accounts.
As a result, addresses that automatically travel between Macs and Google servers are sent as plain text, independent privacy researcher Ashkan Soltani wrote in The Washington Post last Monday. He provided the above screenshot demonstrating that Address Book contents appear in the clear to anyone who has the ability to monitor traffic over a Wi-Fi network or other connection. His observation came 15 months after another Mac user also warned that the Mac app offered no way to enable HTTPS when syncing e-mail address lists with Gmail.
"It appears that it's an Apple issue," Soltani told Ars, referring to the inability to enable HTTPS when Apple's Address Book is updated to a user's Gmail account. "Their other products support Gmail over via HTTPS, so I suspect it would be a three-line fix in the contacts to alleviate this problem."
In fairness to Apple, Soltani pointed to this description of the Google contacts programming interface, which was officially discontinued in April 2012. It indicated HTTP as the sync mechanism for address books. It's possible Apple developers haven't updated their code since Google introduced the change. It's also possible the lack of HTTPS encryption will be fixed in Mavericks, the upcoming version of Mac OS X that Apple is expected to unveil Tuesday.
Once the current version of Address Book is configured to sync with Google's popular e-mail service, the Apple app checked in about once an hour on Macs Soltani tested. Anytime the app contained an address not found in Gmail, it would send the data unencrypted. Interestingly, the program uses the HTTPS protocol to cryptographically authenticate the machine advertising itself as a Gmail server, but the app goes on to send the addresses in plain text over an unencrypted HTTP connection, he said."

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

How Apple's Address Book app could allow the NSA to harvest your contacts

Comments Filter:

Real Users find the one combination of bizarre input values that shuts down the system for days.