Plain Text Passwords FTW – NOT. ⚓

Lex Friedman for Macworld.com (via daringfireball):

iOS users who try the hack may find that, in addition to robbing the developers behind apps that they enjoy, they’ve put themselves at risk. “I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld. “But not the credit card information.” Borodin said that he was “shocked” that passwords were passed in plain text and not encrypted.

Sending passwords directly was never and won't be a good idea. I'm quite anxious about the fact that Apple does this for the App Store in one place, that probably means it does so in others as well. That is costing trust. Together with it's inability to check the identity of their own servers, which is also leading to a Game Center exploit to score any points you'd like with a simple man in the middle attack anyone can do, this is really really dangerous. I'm wondering when the first real Password Gate for iTunes Accounts will be happening.

Update: As it has been pointed out to me repeatedly the term Plain Text Passwords is not exactly true if the connection is a TLS connection. However my point is here that there is no need for sending the user's password in direct form and combined with the fact that TLS is prone to man in the middle attacks, and Apple's way of handling that in iOS in particular, makes it unacceptable. So that is why I think the somewhat scandalistic term "Plain Text Passwords" is warranted.