OS X Mavericks Fixes Apple Contacts Vulnerability NSA May Have Exploited

Why Apple's New Operating System May Upset The NSA

NEW YORK -- Apple's new operating system, OS X Mavericks, doesn't just offer a spiffed up Web browser and extended battery life. It may also help protect you from the National Security Agency.

Hours after Mavericks was released on Tuesday, Stanford University computer science PhD student Jonathan Mayer identified a change in the way the new operating system syncs Apple Contacts with Google accounts. Updates to address books in Mavericks are apparently now sent only in encrypted form, Mayer said, fixing a vulnerability that may have left some users' information exposed to government spying.

"The speculation seems to be that this is one of the ways in which the NSA was able to collect Google address book information," Mayer told HuffPost. "Certainly to the extent the NSA was doing simple keyword searches on the content of unencrypted Web traffic."

The Washington Post reported last week that the NSA is harvesting hundreds of millions of contact lists as they whip across the Internet. The agency said it only targets foreigners, but documents released by Edward Snowden suggest many ordinary Americans have been caught in the collection.

Mayer said Mavericks also appears to fix "an even nastier form of vulnerability, where it appears Contacts was also sending an authentication token to Google in plaintext." With that token, the NSA or someone watching your Web traffic as it passes over WiFi at a cafe could have gained access to your entire contact list, not just updates.

Apple did not immediately respond to a request for comment. The fix may help repair the company's image, marred by documents disclosed by Snowden that show the NSA had "direct access" to Apple servers and that iMessages are insecure.

Apple is not the only tech giant implicated in the contact list surveillance revelations. Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, said Apple's shift in Mavericks only fixes half the problem.

"In short, Apple was irresponsible in not giving users of non-Apple contacts services even the option of using encryption. Apple has fixed their end of the problem," Cardozo said in an email. "Google was irresponsible in giving its users the option to not use encryption for Google Contacts syncing. As far as I know, Google has not fixed its end of the problem."

Google did not immediately respond to a request for comment.

Before You Go

Sen. Dianne Feinstein (D-Calif.)

Politicians React To NSA Collecting Phone Records

Popular in the Community


What's Hot