In its own words:¶
Sources: 55179.13.c, 55471.c
Source code differences between two consecutive versions of the
Security.framework, a macOS/iOS component. The seemingly innocuous extra goto fail; — a duplicated line with no braces around the if body — caused the
SSL/TLS certificate verification to be silently skipped entirely. Any
certificate would be accepted as valid, making every HTTPS connection on
affected devices vulnerable to man-in-the-middle attacks. The bug
(CVE-2014-1266) affected iOS
6/7 and OS X Mavericks, and was patched in iOS 7.0.6 and OS X 10.9.2. It
became one of the most famous examples of why braces matter and why code review
catches what compilers don’t. See ImperialViolet’s technical
analysis for the
full details.