HTTPS snooping flaw in third-party library affected 1,000 iOS apps with millions of users
Apps used by millions of iPhone and iPad owners became vulnerable to snooping when a flaw was introduced into third-party code they used to establish HTTPS connections.
The flaw was located in an open-source library called AFNetworking that’s used by hundreds of thousands of iOS and Mac OS X applications for communicating with Web services. The bug disabled the validation of digital certificates presented by servers when establishing secure HTTPS (HTTP over SSL/TLS) connections.
This means that attackers in a position to intercept encrypted traffic between affected applications and HTTPS servers could decrypt and modify the data by presenting the app with a fake certificate. This is known as a man-in-the-middle attack and can be launched over insecure wireless networks, by hacking into routers and through other methods.