{"id":1177,"date":"2009-03-13T15:46:12","date_gmt":"2009-03-13T23:46:12","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=1177"},"modified":"2009-03-13T15:46:12","modified_gmt":"2009-03-13T23:46:12","slug":"current-event-itunes-vulnerability-leak-user-credentials","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/current-event-itunes-vulnerability-leak-user-credentials\/","title":{"rendered":"Current Event: ITunes vulnerability leak user credentials"},"content":{"rendered":"<p>The recently released ITunes 8.1 closed two major security gaps from the previous version. According to <a title=\"About the security content of iTunes 8.1 \" href=\"http:\/\/support.apple.com\/kb\/HT3487\">Apple<\/a>, until the latest release, maliciously crafted podcasts could cause ITunes to ask user for credentials but send the username and password to a destination other than Apple&#8217;s server. Furthermore, a bug in the ITunes DAAP protocol allowed attackers to send messages with specific Content-length fields causing an infinite loop, and thus a denial of service, to Windows users.<\/p>\n<p>Reference: <a title=\"Rigged podcasts can leak your username\/password\" href=\"http:\/\/blogs.zdnet.com\/security\/?p=2861\">ZDNet<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The recently released ITunes 8.1 closed two major security gaps from the previous version. According to Apple, until the latest release, maliciously crafted podcasts could cause ITunes to ask user for credentials but send the username and password to a &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/current-event-itunes-vulnerability-leak-user-credentials\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":121,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,9],"tags":[47,151,191,211],"class_list":["post-1177","post","type-post","status-publish","format-standard","hentry","category-current-events","category-privacy","tag-apple","tag-current-event","tag-ddos","tag-privacy"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1177","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/121"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=1177"}],"version-history":[{"count":2,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1177\/revisions"}],"predecessor-version":[{"id":1179,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1177\/revisions\/1179"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=1177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=1177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=1177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}