Exploit Allows Users to Continue to Compromise Apple Users' Passwords
March 22, 2013 3:32 PM
comment(s) - last by
All that's needed to reset a password is a user's AppleID, date of birth, and email
Apple, Inc. (
), a company
infamous for weak security
brazen arrogance regarding its safety
, has been in the spotlight for the wrong reasons of late. Its policies last year allowed
a huge hack
on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.
The hack caused Apple to embark on
a series of security changes
, which made it harder for remote users to retrieve a password that possibly wasn't theirs. The latest step was to install two-step verification, a new process that sends a code to your device.
Apple began rolling out the new two-step authentication (
users' Apple IDs
this week. Users can
Apple's 2-step ID verification.
But unfortunately Apple's own "
" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation. All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).
If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.
Use the first and last name, plus past addresses to recover the AppleId.
Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]
The exploit was
9 to 5 Mac
with the above description of the exploit, pointing curious folks on where to go to try it out.
In an update
reveals more bad news. The site's Chris Welch writes:
Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.
Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (
9 to 5 Mac
This article is over a month old, voting and posting comments is disabled
3/22/2013 4:06:43 PM
Wouldn't they still need access to your email account to get the reset password? And wouldn't you be notified that the password has been reset?
3/22/2013 4:47:02 PM
Not really. If you are an user with an Apple ID account (iCloud, iTunes, etc.) and have not yet set up the two stage verification, then no code will be sent to you so you can do the reset. You still fall under the old system. If you can convince an Apple help desk employee to reset the password or you have the information outlined above you can independently reset anyone's password. The owner of the account still gets an email to the setup email address (until you change that too!).
The thing Apple needs to do is make the sign up simpler and eliminate any lag between starting the setup and completion (three days to complete the process is truly asinine). Then Apple needs to advertise this to ALL Apple ID users -- over and over and over again. I'd bet that less than 10% of the people with Apple IDs even know that this two stage process exists and has a potential benefit to them.
I'm not sure I'd go so far as to say Apple needs to give users XX days and then lock them out until they set up their two stage authentication, but that wouldn't be a bad idea.
3/23/2013 2:47:16 AM
The ship is sinking...
LOL - the next product will be a good joke.
The appletards are "demoralized" and getting kicked when they're down...
Maybe they should build a state of the art mega million dollar hacking "antenna feeler" facility to see whose fingers are getting in the way... oh wait... they surely did that now we just need the ghost of Steve Jobs to explain all that and how cracked accounts are not really that because they spent so much special money in a gigantic super superior way to make it the most secure eva' !
"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot
Apple, Amazon Change Security Policies After Hack Attack on Journalist
August 8, 2012, 12:00 PM
Apple, Amazon's Weak Security Allows Huge Hack of Gizmodo Reporter
August 7, 2012, 12:28 PM
Apple to Update iTunes with iCloud Integration, Music Sharing
June 28, 2012, 5:07 PM
Kaspersky Labs: Apple's Security 10 Years Behind Microsoft
April 26, 2012, 7:39 AM
Mac Gets The Girl In New Anti-Microsoft Ad
May 13, 2009, 9:33 AM
Retiree Sues Apple For $7,500 for Wiping Honeymoon Photos From His iPhone
November 30, 2015, 10:23 AM
iPhone 7 May Pack 3-4 GB Memory, More Storage; 4-Inch Comeback is Rumored
November 20, 2015, 10:12 PM
OnePlus One, OnePlus 2 Will Receive Android Marshmallow in Q1 2016
November 16, 2015, 9:58 AM
Lenovo Whoa: Motorola Droid MAXX 2 and Turbo 2 Break Cover in Leaks
October 26, 2015, 3:12 PM
Leak: Apple Preps for First Real Android App Foray With New Apple Music App
October 24, 2015, 1:59 PM
Pepsi Smartphone? Empty Calories Coming Soon to the Midrange
October 12, 2015, 11:41 PM
Most Popular Articles
Top 5 Smart Watches
July 21, 2016, 11:48 PM
Free Windows 10 offer ends July 29th, 2016: 10 Reasons to Upgrade Immediately
July 22, 2016, 9:19 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information