Print 43 comment(s) - last by MaulBall789.. on Mar 29 at 9:56 AM

All that's needed to reset a password is a user's AppleID, date of birth, and email

Apple, Inc. (AAPL), a company infamous for weak security and brazen arrogance regarding its safety, has been in the spotlight for the wrong reasons of late.  Its policies last year allowed a huge hack on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.  

The hack caused Apple to embark on a series of security changes, which made it harder for remote users to retrieve a password that possibly wasn't theirs.  The latest step was to install two-step verification, a new process that sends a code to your device.

Apple began rolling out the new two-step authentication (FAQ) for users' Apple IDs this week.  Users can go here to apply.

Apple two step
Apple's 2-step ID verification.

But unfortunately Apple's own "iForgot" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation.  All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).  

If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.

Step 1: Use the first and last name, plus past addresses to recover the AppleId.

Step 2: Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]

The exploit was first reported/validated on by The Verge.  9 to 5 Mac went live with the above description of the exploit, pointing curious folks on where to go to try it out.

In an update The Verge reveals more bad news.  The site's Chris Welch writes:

Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.

Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (FB).

Sources: Apple, 9 to 5 Mac, The Verge

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Pot calls kettle black
By Tony Swash on 3/23/2013 8:12:13 AM , Rating: -1
Here is the link to the Google alert page about the Daily Tech security breach.

I began to find the DT site was blocked by Google when browsing with both Chrome and Safari, so I sent DT a message and Brandon Hill, DT's editor in Chief, emailed me to say "We've been in crisis mode all day working on it." Later that day they seemed to have fixed it. No public announcement of the issue was made by DT.

I didn't say anything public about it because I figure bad stuff happens to everyone and being a victim requires support not attack. The problem is the bad guys not their victims.

But when DT can shamelessly post a piece of sensationalist click bait like this article - in the same week they themselves were comprised - I just could stay silent. Sorry DT, I wish you the best with sorting out your own problems but I would love to see you raise the bar a bit on your reporting.

RE: Pot calls kettle black
By iano80 on 3/23/2013 11:30:11 AM , Rating: 2
I'm going to go out on a limb here and say that the reason DT was getting warnings was undoubtedly down to another 3rd party ad provider throwing out suspect ads.

This is not unusual and nothing DT can do anything about except fire off an email to their ad provider like any other ad-supported site (or go subscription only).

I fully accept that I may be wrong but to quote the page you linked:

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

Contrast this with Apple having to shutdown their iForgot password recovery system due to a flaw of their own making (which I certainly don't see as 'click bait') and your faux outrage looks pretty flimsy to me.

RE: Pot calls kettle black
By Armageddonite on 3/23/2013 11:58:53 AM , Rating: 3
To be fair, it's not Apple that is the biggest source of brazen ignorance regarding security, malware, etc. It's usually the Appholes and Macolytes who spread the plague of "too cool to fail." It's like a religion, but without the moral high ground.

"This week I got an iPhone. This weekend I got four chargers so I can keep it charged everywhere I go and a land line so I can actually make phone calls." -- Facebook CEO Mark Zuckerberg

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Update: Samsung Exchange Program Now in Progress
September 20, 2016, 5:30 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki