Exploit Allows Users to Continue to Compromise Apple Users' Passwords
March 22, 2013 3:32 PM
comment(s) - last by
All that's needed to reset a password is a user's AppleID, date of birth, and email
Apple, Inc. (
), a company
infamous for weak security
brazen arrogance regarding its safety
, has been in the spotlight for the wrong reasons of late. Its policies last year allowed
a huge hack
on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.
The hack caused Apple to embark on
a series of security changes
, which made it harder for remote users to retrieve a password that possibly wasn't theirs. The latest step was to install two-step verification, a new process that sends a code to your device.
Apple began rolling out the new two-step authentication (
users' Apple IDs
this week. Users can
Apple's 2-step ID verification.
But unfortunately Apple's own "
" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation. All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).
If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.
Use the first and last name, plus past addresses to recover the AppleId.
Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]
The exploit was
9 to 5 Mac
with the above description of the exploit, pointing curious folks on where to go to try it out.
In an update
reveals more bad news. The site's Chris Welch writes:
Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.
Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (
9 to 5 Mac
This article is over a month old, voting and posting comments is disabled
RE: Sigh...here we go again
3/23/2013 10:44:38 AM
The bashers of Fox News missed the Pew Research study which found MSNBC was 85% opinion and 15% actual news compared to Fox's 55% opinion and 45% news.
Oh, the horror.
RE: Sigh...here we go again
3/23/2013 11:53:46 AM
Someone else doing wrong does not redeem one's own misdeeds...a lesson that many devotees of conservative media ignore. Even if someone else is more wrong than you, that doesn't make you right.
That said, I totally ignore Fox News and MSNBC to an equal degree, also the Huffington Post and the Drudge Report, etc. When it comes to news I try to find the most objective perspective available. I rotate between Reuters, CNN and BBC News, and I waste no time on opinion pieces. When it comes to partisan pandering, it's a waste of time...the people who believe it already agree, and the people who don't believe it just ignore it.
"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller
Apple, Amazon Change Security Policies After Hack Attack on Journalist
August 8, 2012, 12:00 PM
Apple, Amazon's Weak Security Allows Huge Hack of Gizmodo Reporter
August 7, 2012, 12:28 PM
Apple to Update iTunes with iCloud Integration, Music Sharing
June 28, 2012, 5:07 PM
Kaspersky Labs: Apple's Security 10 Years Behind Microsoft
April 26, 2012, 7:39 AM
Mac Gets The Girl In New Anti-Microsoft Ad
May 13, 2009, 9:33 AM
Lenovo Completes $2.91B Acquisition of Motorola
October 30, 2014, 11:57 AM
Samsung Electronics Q3 Profit Falls by 60%, Mobile Division Sees 74% Profit Decline
October 30, 2014, 10:10 AM
Microsoft's $199 Fitness Band Packs in 10 Sensors, Works with Windows Phone, iOS, and Android
October 30, 2014, 8:58 AM
Google’s Project Ara Modular "LEGO" Smartphone Shown Booting Up on Video
October 29, 2014, 5:28 PM
After Touting Security, Privacy Controls, MCX/CurrentC Hack Exposes Customer Email Addresses
October 29, 2014, 3:08 PM
HP Reveals Sprout PC with Built in Projector, 20" Touch Sensitive Mat for Input
October 29, 2014, 1:13 PM
Most Popular Articles
Amid Theater Boycott Netflix Defiantly Plans New Movies, Plus 3 TV Shows for 2015
October 24, 2014, 7:30 PM
AT&T Defeats Purpose of New Apple SIM, Locks iPad Air 2 SIMs to Its Network
October 24, 2014, 2:17 PM
CVS, Rite Aid Kill Unofficial Apple Pay Support, Burn Google Wallet Users in the Process
October 25, 2014, 5:26 PM
1 Million Credit Card Activated on Apple Pay Within 72 Hours, Walmart CEO Hopes Visa "Suffers"
October 28, 2014, 8:17 AM
Microsoft's Figures Show Desktop Users Flocking to Windows 10 Preview
October 27, 2014, 11:04 AM
Latest Blog Posts
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information