backtop


Print 43 comment(s) - last by MaulBall789.. on Mar 29 at 9:56 AM

All that's needed to reset a password is a user's AppleID, date of birth, and email

Apple, Inc. (AAPL), a company infamous for weak security and brazen arrogance regarding its safety, has been in the spotlight for the wrong reasons of late.  Its policies last year allowed a huge hack on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.  

The hack caused Apple to embark on a series of security changes, which made it harder for remote users to retrieve a password that possibly wasn't theirs.  The latest step was to install two-step verification, a new process that sends a code to your device.

Apple began rolling out the new two-step authentication (FAQ) for users' Apple IDs this week.  Users can go here to apply.

Apple two step
Apple's 2-step ID verification.

But unfortunately Apple's own "iForgot" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation.  All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).  

If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.

AppleID
Step 1: Use the first and last name, plus past addresses to recover the AppleId.

AppleID
Step 2: Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]

The exploit was first reported/validated on by The Verge.  9 to 5 Mac went live with the above description of the exploit, pointing curious folks on where to go to try it out.

In an update The Verge reveals more bad news.  The site's Chris Welch writes:

Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.

Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (FB).

Sources: Apple, 9 to 5 Mac, The Verge



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

??
By kmmatney on 3/22/2013 4:06:43 PM , Rating: 2
Wouldn't they still need access to your email account to get the reset password? And wouldn't you be notified that the password has been reset?




RE: ??
By Shadowself on 3/22/2013 4:47:02 PM , Rating: 2
Not really. If you are an user with an Apple ID account (iCloud, iTunes, etc.) and have not yet set up the two stage verification, then no code will be sent to you so you can do the reset. You still fall under the old system. If you can convince an Apple help desk employee to reset the password or you have the information outlined above you can independently reset anyone's password. The owner of the account still gets an email to the setup email address (until you change that too!).

The thing Apple needs to do is make the sign up simpler and eliminate any lag between starting the setup and completion (three days to complete the process is truly asinine). Then Apple needs to advertise this to ALL Apple ID users -- over and over and over again. I'd bet that less than 10% of the people with Apple IDs even know that this two stage process exists and has a potential benefit to them.

I'm not sure I'd go so far as to say Apple needs to give users XX days and then lock them out until they set up their two stage authentication, but that wouldn't be a bad idea.


RE: ??
By CeriseCogburn on 3/23/2013 2:47:16 AM , Rating: 1

The ship is sinking...

LOL - the next product will be a good joke.

The appletards are "demoralized" and getting kicked when they're down...

Maybe they should build a state of the art mega million dollar hacking "antenna feeler" facility to see whose fingers are getting in the way... oh wait... they surely did that now we just need the ghost of Steve Jobs to explain all that and how cracked accounts are not really that because they spent so much special money in a gigantic super superior way to make it the most secure eva' !


Sigh...here we go again
By KeithP on 3/22/13, Rating: -1
RE: Sigh...here we go again
By ppardee on 3/22/2013 6:40:43 PM , Rating: 3
Not like normal people and MSNBC?

When people bash Fox News, it says two damning things about them. 1) They are mental slaves to the progressive party (which is slowly eating the Democrat party), and 2) they are so naive that they believe that Fox News is the only media outlet that has a political agenda.

EVERY media outlet spins the truth to try to get you to believe what they want. DT has an agenda, too. Looking at Tiffany's AGW stories will tell you that. But when it comes to Apple, DT calls a spade a spade. Apple has some good products and ideas (or so I'm told), but they also make some dumb moves. Ignoring security is one. They will report on the good and the bad.

It has been said in the past that PCs are like houses with bars on the windows in the bad part of town and Apples are like houses out in the country with no locks on the doors. Crime has come to the country and Apple still can't figure out they have to lock their stuff up. They WON'T until it hurts their bottom line.

Does your mom let you get away with stealing a candy bar because your friend stole a whole box of them? Apple is at fault for their security holes. Amazon's lax security does not excuse Apple's refusal to put proper time into risk mitigation.


RE: Sigh...here we go again
By ppardee on 3/22/2013 6:41:45 PM , Rating: 1
Sorry, I shouldn't bash Tiffany. She has gotten a lot better at being objective lately.


RE: Sigh...here we go again
By Shadowself on 3/22/2013 7:30:20 PM , Rating: 5
quote:
When people bash Fox News, it says two damning things about them.
Not necessarily. It could just be that they don't like extremism in their reporting. "Fair and balanced" is neither fair nor balanced if you have to dredge up pure crap to show "the other side". If you consider a radical-liberal-moderate-conservative-reactionary scale from 0 to 100 in that order, I'd consider most media in the 35 to 45 range. Fox news sits squarely in the 80+ range. Fox executives have repeatedly gone on the record over the years stating this simple fact very clearly. If you're into that range and want information that strongly supports that position, Fox is the perfect source for you. However, don't suggest that anyone who thinks Fox news is blatantly biased is naive about media agendas.

quote:
But when it comes to Apple, DT calls a spade a spade.
Absolutely not true. A couple of the authors on DT have a very clear anti Apple agenda and rarely refrain from pursuing it -- from inaccurate headlines to telling only half the story to not bothering to learn what reality is.

quote:
Apple has some good products and ideas (or so I'm told), but they also make some dumb moves. Ignoring security is one.
Absolutely true. Apple has done some truly stupid things. Remember the hockey puck mouse? It was equivalent in its stupidity, in my opinion, to Microsoft's Bob. Most people never heard of the horror stories of Apple's design years ago for one of its PowerMac systems that was designed so badly that it was virtually impossible to upgrade the RAM without losing some skin from your fingers. Blood on the motherboard--now that's intelligent design work! And even today, Apple has not fixed the stupidity of how iOS integrates with PCs or even Macs to merge contact data -- it's been bad since the first iPhone and Apple still has not fixed it. The list goes on and on and on.

However, in this case Apple is not ignoring security. They're just taking, at least in my personal opinion, a much, much to lax approach to implementing it. Is the approach any worse than Google or many other online systems? No, in fact in many cases it is the exact same approach. However, as I mentioned above, Apple setting up a security system that can take up to three days to take effect is truly asinine. Someone should be fired for setting up such a lame implementation scheme, but I doubt they will.

quote:
They will report on the good and the bad. [with regard to Apple]
When was the last time that DT reported a simple positive story about Apple or its products without some negative comment or spin thrown in on the side. Similarly, out of the last five years of reporting, what percentage of stories on DT that had Apple mentioned in them had something bad to say about Apple? If you only read the DT stories (and ignored the posts by readers) you'd think Apple was one of the most morally corrupt company on the planet; you'd think Apple had (and has) the worst design staff on the planet.


RE: Sigh...here we go again
By Reclaimer77 on 3/22/2013 7:58:38 PM , Rating: 1
I love it when someone bashes Fox. It allows me to instantly dismiss them as a Liberal, and therefor an idiot, without ever having to find out through a lengthy and frustrating discussion.

Especially those who mimic the populist "Faux" misnomer. Right off the bat tells you he's not only a Liberal moron, but a poser lacking critical thinking. How many of these people actually viewed Fox themselves and formed their own opinion? Very few. Which makes them weak minded.


RE: Sigh...here we go again
By superflex on 3/23/2013 10:44:38 AM , Rating: 2
The bashers of Fox News missed the Pew Research study which found MSNBC was 85% opinion and 15% actual news compared to Fox's 55% opinion and 45% news.
Oh, the horror.


RE: Sigh...here we go again
By Armageddonite on 3/23/2013 11:53:46 AM , Rating: 5
Someone else doing wrong does not redeem one's own misdeeds...a lesson that many devotees of conservative media ignore. Even if someone else is more wrong than you, that doesn't make you right.

That said, I totally ignore Fox News and MSNBC to an equal degree, also the Huffington Post and the Drudge Report, etc. When it comes to news I try to find the most objective perspective available. I rotate between Reuters, CNN and BBC News, and I waste no time on opinion pieces. When it comes to partisan pandering, it's a waste of time...the people who believe it already agree, and the people who don't believe it just ignore it.


RE: Sigh...here we go again
By gmyx on 3/25/13, Rating: 0
RE: Sigh...here we go again
By retrospooty on 3/23/2013 12:57:59 AM , Rating: 1
I don't think you quite have that right. DailyTech is an offshoot of Anandtech. I distinctly recall the day the iPhone 5 was released Anand himself published 14 articles on the iPhone 5. Other major phones like the galaxy S3 Galaxy S4 HTC One etc. all get 1 article. I'm not saying those articles were unfair but 14 to 1 kind of of shows that the bias has swung.


RE: Sigh...here we go again
By KoolAidMan1 on 3/23/2013 4:00:14 AM , Rating: 3
Not really, things are very different now. Kris Kubicki left years ago and the style moved to a more tabloid style. Quality is much lower too. The excellent content, editorial balance, and polish of Anandtech's articles are far from the amateur style and sensationalism that DT has. Just basic grammar is a challenge here a lot of the time.


RE: Sigh...here we go again
By xti on 3/23/2013 10:02:15 AM , Rating: 1
yeah, DT kinda ruins AT great image imo.


RE: Sigh...here we go again
By retrospooty on 3/23/2013 1:18:09 PM , Rating: 2
"Quality is much lower too. The excellent content, editorial balance, and polish of Anandtech's articles are far from the amateur style and sensationalism that DT has."

I agree with you there... No-one that has been coming here for any amount of time could disagree with that.

But for the bias mentioned, either on the sites or the visitors to the comments section of either, there is no anti Apple bias. IF anything on the sites, Apple gets mroe coverage. If anything on the comments sections there are more "Apple can do no wrong" apologists than anything... Yourself included.


RE: Sigh...here we go again
By KoolAidMan1 on 3/23/2013 5:47:13 PM , Rating: 2
The bias here is obvious to anyone who doesn't have their head up their ass. I own one Apple product right now, an iPad. Otherwise I have a Windows desktop, a Lumia phone, and owned Android phones before this. If you think saying "Apple does a good job" is the same as "Apple can do no wrong" then you should rethink what bias really is.

The apologism for Android around here is much worse, I say this as someone who had Android phones up until a few months ago. You see it in both the bias of the articles and the loudest commenters.


RE: Sigh...here we go again
By retrospooty on 3/23/2013 8:04:48 PM , Rating: 2
". If you think saying "Apple does a good job" is the same as "Apple can do no wrong" then you should rethink what bias really is."

I say Apple does/did a good job quite often. The original iPhone and later the retina screen are good examples of that, and we all benefit from the,. You defend Apple suing any and all of its competitors for copying things it copied in the first place, that gets you that title and "worthless hypocrite" to boot. Maybe I am mixing you up with someone else, if I did I apologize.


RE: Sigh...here we go again
By KoolAidMan1 on 3/23/2013 9:37:48 PM , Rating: 2
The only thing I recall saying a few days ago is that suing between these companies is standard. It is a symptom of the system. As a user I don't care about what happens in court, just who has better stuff. The rest is a sideshow for fanboys.


RE: Sigh...here we go again
By retrospooty on 3/23/2013 10:01:49 PM , Rating: 2
"I don't care about what happens in court, just who has better stuff."

Totally agreed, and I don't care who copies who... Just the best product at the best price.


RE: Sigh...here we go again
By KoolAidMan1 on 3/24/2013 5:50:07 PM , Rating: 2
I've seen your huge lists and opinions, the last thing I'd call you is fair or unbiased. You actually believe that the articles here are fair, balanced, and accurate. That would be Anandtech, not the pandering and inflammatory crap they post here on DT.

You hide behind an air of reason and backtracking, and maybe you actually believe that, but the fact that you complain about low quality on DT while totally eating it up and reinforcing their viewpoint is more important.


RE: Sigh...here we go again
By retrospooty on 3/24/2013 5:54:40 PM , Rating: 1
Facts are facts, a list of features that one OS has and the other doesn't isn't an opinion. A few items on that list are, but the vast majority is pure fact.

I have been coming here a long time, years and years before dailytech even existed, and yes, the quality of DT has lowered, but I still enjoy the news and see no reason to change. Sounds like you really don't like it and are vising the wrong site. Don't let the door hit ya.


RE: Sigh...here we go again
By KoolAidMan1 on 3/25/2013 6:16:37 AM , Rating: 2
Its a lot of opinion when it comes down to it. I put up with Android for years and got tired of waiting for its numerous problems to get fixed. Your list of features that can be found in the cheapest devices isn't convincing, and for me it isn't worth the tradeoffs. You either don't really use your phone very much or you have very low standards.

I've been coming to AT since 1999, pretty old school. You don't need to be here long though to see that AT is extremely balanced while DT isn't. Of course you see no reason for DT to change, you eat it all up while pretending to be disappointed in an attempt to look fair.

You are right that I am visiting the wrong site. Maybe AT will remove it from the sidebar someday.


RE: Sigh...here we go again
By retrospooty on 3/25/2013 8:20:10 AM , Rating: 2
I meant I saw no reason for me to change sites, I visit through Anandtech as well. I agree DT has gone downhill and has pretty much become the tech equivalent of tabloid journalism... But much of the news is still news.


RE: Sigh...here we go again
By xti on 3/23/2013 10:40:15 PM , Rating: 2
i would say the readers here are 50/50 split.

the writers... is another story. like the samsung iv articles...12 words into it, it goes on to just remind everyone that they dont like it... sometimes it just goes too far, i wanted to read up about the successor to my current phone, not have their hatred of apple shoved down my throat yet again.

AT is the only reason DT gets exposure...and its being wasted...evident by the similar complaints of others on here.


RE: Sigh...here we go again
By xti on 3/23/2013 10:41:40 PM , Rating: 2
quote:
12 words into it, it goes on to just remind everyone that they dont like it


that should read:

12 words into it, it goes on to just remind everyone that they dont like apple


This place is a joke.
By half_duplex on 3/23/13, Rating: -1
RE: This place is a joke.
By Cheesew1z69 on 3/23/2013 9:08:07 PM , Rating: 3
And the Apple people do it as well. Don't let the door hit you on the way out loser!


RE: This place is a joke.
By KoolAidMan1 on 3/23/2013 10:14:23 PM , Rating: 2
If you say that iOS has great hardware and apps, "bias". If you say that WP has a great UI, "lol WP".

The Android defense brigade here is loud and strong. I was on Android for years until I sold my Nexus 4, and I have no problem saying that it still has a lot of problems. I don't know if they have an inferiority complex or battered housewife syndrome. It is obnoxious for sure.


RE: This place is a joke.
By martin5000 on 3/24/2013 3:57:18 PM , Rating: 3
Apple's of the biggest companies in the world, why should they be except from criticism? Much of it is 100% deserved anyway.

Android fans are becoming increasingly annoying though. I do think it's pretty odd how people get so protective of the OS their phone happens to be using.


Pot calls kettle black
By Tony Swash on 3/22/13, Rating: -1
RE: Pot calls kettle black
By retrospooty on 3/22/2013 10:42:15 PM , Rating: 2
LOL... U mad bro ? Did someone insult "the precious"?


RE: Pot calls kettle black
By Milliamp on 3/23/2013 1:19:48 AM , Rating: 1
Not sure why this is downvoted, I'm genuinely curious to the nature of the daily tech compromise. I've scanned/looked around the machines I use to visit the websites and found nothing but I have reason to be suspicious that I could have potentially been impacted.


RE: Pot calls kettle black
By Tony Swash on 3/23/13, Rating: -1
RE: Pot calls kettle black
By iano80 on 3/23/2013 11:30:11 AM , Rating: 2
I'm going to go out on a limb here and say that the reason DT was getting warnings was undoubtedly down to another 3rd party ad provider throwing out suspect ads.

This is not unusual and nothing DT can do anything about except fire off an email to their ad provider like any other ad-supported site (or go subscription only).

I fully accept that I may be wrong but to quote the page you linked:

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, www.dailytech.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

Contrast this with Apple having to shutdown their iForgot password recovery system due to a flaw of their own making (which I certainly don't see as 'click bait') and your faux outrage looks pretty flimsy to me.


RE: Pot calls kettle black
By Armageddonite on 3/23/2013 11:58:53 AM , Rating: 3
To be fair, it's not Apple that is the biggest source of brazen ignorance regarding security, malware, etc. It's usually the Appholes and Macolytes who spread the plague of "too cool to fail." It's like a religion, but without the moral high ground.


RE: Pot calls kettle black
By retrospooty on 3/23/2013 1:19:46 PM , Rating: 2
"Not sure why this is downvoted, I'm genuinely curious to the nature of the daily tech compromise."

Becasue Tony isnt posting in relation to the DT compromise... HE is posting to detract from the negative attention Apple gets and everyone here at AT/DT knows his agenda.


RE: Pot calls kettle black
By Tony Swash on 3/23/13, Rating: 0
RE: Pot calls kettle black
By retrospooty on 3/23/2013 4:33:14 PM , Rating: 2
BS... you were posting for Apple and only Apple because you saw a negative comment about them so you had to detract from it. If it were Samsung or Google, you would have posted some obscure link to try and make them look worse and you know it. You act like we aren't all aware of your agenda and know you are 100% full of s$%t.


RE: Pot calls kettle black
By Tony Swash on 3/24/13, Rating: -1
RE: Pot calls kettle black
By retrospooty on 3/24/2013 1:11:59 PM , Rating: 2
I know, the truth hurts when its the precious...Those companies aren't known for weak security and brazen arrogance Apple is. MS security may be weak, certainly in the past but they take it seriously.


RE: Pot calls kettle black
By MaulBall789 on 3/29/2013 9:56:21 AM , Rating: 2
quote:
Those companies aren't known for weak security and brazen arrogance


Seriously dude? Samsung? They are historically one of the world's worst offenders of brazen arrogance in copying other technology and calling it their own, long before iStuff or even Apple ever existed. Not to mention their own major security exploit that affects the SIII, NoteII and others that are nearly 4-6 months old (depending on who you ask) and are only now getting around to patching. Come on man, think before you type.


RE: Pot calls kettle black
By retrospooty on 3/24/2013 2:54:20 PM , Rating: 2
"there is nothing wrong with trying to rebalance the discourse around Apple which is all I am trying to do with my comments "

LOL... That sentence from you is beyond just ironic, it is a straight up bold faced lie (underlined because to simply call it a "bold face lie" seems far too weak of a description). Yes, thank you Tony for bring a balanced debate to the table /facepalm

If you don't like the reporting on the site, maybe you shouldn't be one of the primary people clicking on it eh? I just did a quick google and found a site that would be much more suited to your type of "balance". http://www.ifans.com/forums/


RE: Pot calls kettle black
By iano80 on 3/23/2013 4:47:44 PM , Rating: 2
Tony, you were deflecting attention.

Regardless of irrelevant security warnings from one of the multiple sites reporting the issue, if GMail had been mentioned instead you'd have been all over it.


“We do believe we have a moral responsibility to keep porn off the iPhone.” -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki