This has been a rough few days for Apple.  A ‘goto fail’ hole appeared in the OS that lets people defect a security server key which lets them do .. well not sure.  From a quick read of the code, seems like if you can get a false handshake to work then depending on the package you could redirect emails, sms messages, perhaps redirect the auth process and make the user buy something from the store?  Not sure, but here is the code.

static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; … if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; … fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; }

However, Apple has said they released a fix, so if you are swinging an Apple device, you may want to path up quickly.