The new iCloud Keychain feature in iOS 7 and OS X Mavericks allows Safari to sync passwords and credit card numbers across Macs and iOS devices. Although it uses two-factor authentication, there's a possible risk in using this feature.
As is true with other cloud services, such as Google accounts and Microsoft accounts, a hacker can use a combination of social engineering techniques and spoofing attacks to hijack an iCloud account, gaining access to the users' iCloud data. Many iCloud users share their credentials with iTunes and the Apple Store, so a hijacked iCloud username and password could also be used to purchase items from iTunes and the Apple Store online.
Apple plays it quiet in the security cat-and-mouse game
With security in general, it's often a cat-and-mouse game, where vendors release the latest patches or anti-whatever tools, and researchers figure out a way to bypass them, Foreground Security's Henderson says. Vendors engage with security researchers and white-hat hackers to identify and close off vulnerabilities in an awkward but useful dance -- not Apple, though.
"Apple should take the 'help us help you' approach and publicize the fact that it is willing to work with independent security researchers," Henderson advises. "If we look at the increased security features that Microsoft has started to include in its products over the past decade or so, you will see that most of these features are a result of working with security researchers and the general public."
Apple is much less transparent about its security policies than other vendors, says Mike Silver, a distinguished analyst at Gartner. (Apple declined to comment to InfoWorld on Mac security issues.) Plus, "Apple doesn't have specific timelines on how long it will support an OS for, which makes it difficult for organizations that have to certify security."
Should you worry? Yes, but not a lot.
This story, "A clear-eyed guide to Mac OS X's actual security risks," was originally published at InfoWorld.com. Follow the latest developments in mobile technology and security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.