A flaw in the latest versions of both iOS and MacOS could enable hackers to take over Apple devices and use them in a DDoS attack.
According to security researcher Maksymilian Arciemowicz, both the mobile and desktop operating systems have a weak OCSP validation process which allows attackers to send OCSP requests (up to 200k) in the name of the victim during a MiTM attack.
The vulnerability affects both Apple MacOS 10.12.1 and iOS 10.
He said that Apple’s SecureTransport trusts and checks OCSP URLs without verification of certificate authority or common name among other things.
“[The] attacker is able to create self-sign certificate with huge list of OCSP URLs in order to trigger network traffic before inform[ing the] user about untrusted certificate,” he said in a blog post.
Arciemowicz said the attack scenario is trivial. “The attacker sends victim a link to some resource e.g. image through SSL like and OS’s victim will perform a few thousand requests to OCSP URLs.”
He said the attack may be directed to a third party resource, so that many users unknowingly become part of a DDoS attack. One HTTPS request can trigger several thousand other HTTPS requests.
Another scenario assumes extension of handshake time. “Observed timeout of OCSP requests to seven seconds. However, you can try to increase the size of the OCSP response. In order to consume network bandwidth,” said Arciemowicz.
“In the case of the iPhone, restart Safari will not stop defective handshake. Similarly, in macOS. It’s recommend[ed] to restart device or disconnect from network until all OCSP requests will expire,” he warned.
This article originally appeared at scmagazineuk.com