Apple Gotofail bug: Simple mistake or NSA conspiracy?

Apple has released an iOS update designed to fix the "Gotofail" bug.
(Chris O’Brien/Los Angeles Times)

Apple spent the weekend scrambling to respond to a security bug called “Gotofail” discovered first in its iOS devices and then in its Mac OSX.

Beyond just leaving users vulnerable, the flaw ignited a debate among cybersecurity experts because the mistake in the code was considered so basic.

Some wondered how Apple could have made such a simple error.

“This sort of subtle bug deep in the code is a nightmare,” wrote Google’s security expert Adam Langley on his blog. “I believe that it’s just a mistake, and I feel very bad for whomever might have slipped in an editor and created it.


But others wondered whether the code was a deliberate attempt to create a backdoor for government spy agencies. They pointed to the fact that some researchers have discovered that the bug first appeared in a version of iOS 6 at about the same time that slides released by Edward Snowden indicate that the National Security Agency claimed it had established a backdoor into some products by Apple.

“It’s purely circumstantial,” wrote noted Apple follower John Gruber who writes the Daring Fireball blog. “But the shoe fits.”

Apple, as have other tech companies named by Snowden, has repeatedly denied that it has created any kind of backdoor into its products for U.S. government spy agencies.

On Friday, Apple released a security update to iOS 7. In a note in a support forum, Apple said it had discovered that: “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” The two acronyms refer to security protocols.

As Wired’s Threat Level blog explained:

“The bug essentially means that when you’re e-mailing, tweeting, using Facebook or checking your bank account from a shared network, like a public WiFi or anything tapped by the NSA, an attacker could be listening in, or even maliciously modifying what goes to your iPhone or iPad.”

But the same flaw apparently also exists in the Mac OSX operating system. Experts suggested users stop using Apple’s Safari browser until the bug was patched.

On Saturday, Apple told Reuters that it would have a fix for the Mac problem “very soon.”

The security concern is a rare one for Apple. For years, the Mac operating system gained a reputation for having superior security to Microsoft’s Windows operating system.

Indeed, several critics said the concerns over the Gotofail bug were overblown. And they noted that cybersecurity experts have routinely detected far more security holes in Google’s Android operating system.

The Apple Insider blog insisted in a lengthy post that the focus on Apple’s security problem this weekend was part of a broader conspiracy between the media and Samsung.


Steve Jobs getting his own postage stamp in 2015

Amazon TV set-top box coming in March, report says

Ready or not, the new Google Maps now rolling out to all users