backtop


Print 43 comment(s) - last by MaulBall789.. on Mar 29 at 9:56 AM

All that's needed to reset a password is a user's AppleID, date of birth, and email

Apple, Inc. (AAPL), a company infamous for weak security and brazen arrogance regarding its safety, has been in the spotlight for the wrong reasons of late.  Its policies last year allowed a huge hack on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.  

The hack caused Apple to embark on a series of security changes, which made it harder for remote users to retrieve a password that possibly wasn't theirs.  The latest step was to install two-step verification, a new process that sends a code to your device.

Apple began rolling out the new two-step authentication (FAQ) for users' Apple IDs this week.  Users can go here to apply.

Apple two step
Apple's 2-step ID verification.

But unfortunately Apple's own "iForgot" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation.  All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).  

If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.

AppleID
Step 1: Use the first and last name, plus past addresses to recover the AppleId.

AppleID
Step 2: Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]

The exploit was first reported/validated on by The Verge.  9 to 5 Mac went live with the above description of the exploit, pointing curious folks on where to go to try it out.

In an update The Verge reveals more bad news.  The site's Chris Welch writes:

Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.

Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (FB).

Sources: Apple, 9 to 5 Mac, The Verge



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Sigh...here we go again
By Shadowself on 3/22/2013 7:30:20 PM , Rating: 5
quote:
When people bash Fox News, it says two damning things about them.
Not necessarily. It could just be that they don't like extremism in their reporting. "Fair and balanced" is neither fair nor balanced if you have to dredge up pure crap to show "the other side". If you consider a radical-liberal-moderate-conservative-reactionary scale from 0 to 100 in that order, I'd consider most media in the 35 to 45 range. Fox news sits squarely in the 80+ range. Fox executives have repeatedly gone on the record over the years stating this simple fact very clearly. If you're into that range and want information that strongly supports that position, Fox is the perfect source for you. However, don't suggest that anyone who thinks Fox news is blatantly biased is naive about media agendas.

quote:
But when it comes to Apple, DT calls a spade a spade.
Absolutely not true. A couple of the authors on DT have a very clear anti Apple agenda and rarely refrain from pursuing it -- from inaccurate headlines to telling only half the story to not bothering to learn what reality is.

quote:
Apple has some good products and ideas (or so I'm told), but they also make some dumb moves. Ignoring security is one.
Absolutely true. Apple has done some truly stupid things. Remember the hockey puck mouse? It was equivalent in its stupidity, in my opinion, to Microsoft's Bob. Most people never heard of the horror stories of Apple's design years ago for one of its PowerMac systems that was designed so badly that it was virtually impossible to upgrade the RAM without losing some skin from your fingers. Blood on the motherboard--now that's intelligent design work! And even today, Apple has not fixed the stupidity of how iOS integrates with PCs or even Macs to merge contact data -- it's been bad since the first iPhone and Apple still has not fixed it. The list goes on and on and on.

However, in this case Apple is not ignoring security. They're just taking, at least in my personal opinion, a much, much to lax approach to implementing it. Is the approach any worse than Google or many other online systems? No, in fact in many cases it is the exact same approach. However, as I mentioned above, Apple setting up a security system that can take up to three days to take effect is truly asinine. Someone should be fired for setting up such a lame implementation scheme, but I doubt they will.

quote:
They will report on the good and the bad. [with regard to Apple]
When was the last time that DT reported a simple positive story about Apple or its products without some negative comment or spin thrown in on the side. Similarly, out of the last five years of reporting, what percentage of stories on DT that had Apple mentioned in them had something bad to say about Apple? If you only read the DT stories (and ignored the posts by readers) you'd think Apple was one of the most morally corrupt company on the planet; you'd think Apple had (and has) the worst design staff on the planet.


"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki