backtop


Print 43 comment(s) - last by MaulBall789.. on Mar 29 at 9:56 AM

All that's needed to reset a password is a user's AppleID, date of birth, and email

Apple, Inc. (AAPL), a company infamous for weak security and brazen arrogance regarding its safety, has been in the spotlight for the wrong reasons of late.  Its policies last year allowed a huge hack on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.  

The hack caused Apple to embark on a series of security changes, which made it harder for remote users to retrieve a password that possibly wasn't theirs.  The latest step was to install two-step verification, a new process that sends a code to your device.

Apple began rolling out the new two-step authentication (FAQ) for users' Apple IDs this week.  Users can go here to apply.

Apple two step
Apple's 2-step ID verification.

But unfortunately Apple's own "iForgot" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation.  All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).  

If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.

AppleID
Step 1: Use the first and last name, plus past addresses to recover the AppleId.

AppleID
Step 2: Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]

The exploit was first reported/validated on by The Verge.  9 to 5 Mac went live with the above description of the exploit, pointing curious folks on where to go to try it out.

In an update The Verge reveals more bad news.  The site's Chris Welch writes:

Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.

Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (FB).

Sources: Apple, 9 to 5 Mac, The Verge



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Sigh...here we go again
By KoolAidMan1 on 3/23/2013 5:47:13 PM , Rating: 2
The bias here is obvious to anyone who doesn't have their head up their ass. I own one Apple product right now, an iPad. Otherwise I have a Windows desktop, a Lumia phone, and owned Android phones before this. If you think saying "Apple does a good job" is the same as "Apple can do no wrong" then you should rethink what bias really is.

The apologism for Android around here is much worse, I say this as someone who had Android phones up until a few months ago. You see it in both the bias of the articles and the loudest commenters.


RE: Sigh...here we go again
By retrospooty on 3/23/2013 8:04:48 PM , Rating: 2
". If you think saying "Apple does a good job" is the same as "Apple can do no wrong" then you should rethink what bias really is."

I say Apple does/did a good job quite often. The original iPhone and later the retina screen are good examples of that, and we all benefit from the,. You defend Apple suing any and all of its competitors for copying things it copied in the first place, that gets you that title and "worthless hypocrite" to boot. Maybe I am mixing you up with someone else, if I did I apologize.


RE: Sigh...here we go again
By KoolAidMan1 on 3/23/2013 9:37:48 PM , Rating: 2
The only thing I recall saying a few days ago is that suing between these companies is standard. It is a symptom of the system. As a user I don't care about what happens in court, just who has better stuff. The rest is a sideshow for fanboys.


RE: Sigh...here we go again
By retrospooty on 3/23/2013 10:01:49 PM , Rating: 2
"I don't care about what happens in court, just who has better stuff."

Totally agreed, and I don't care who copies who... Just the best product at the best price.


RE: Sigh...here we go again
By KoolAidMan1 on 3/24/2013 5:50:07 PM , Rating: 2
I've seen your huge lists and opinions, the last thing I'd call you is fair or unbiased. You actually believe that the articles here are fair, balanced, and accurate. That would be Anandtech, not the pandering and inflammatory crap they post here on DT.

You hide behind an air of reason and backtracking, and maybe you actually believe that, but the fact that you complain about low quality on DT while totally eating it up and reinforcing their viewpoint is more important.


RE: Sigh...here we go again
By retrospooty on 3/24/2013 5:54:40 PM , Rating: 1
Facts are facts, a list of features that one OS has and the other doesn't isn't an opinion. A few items on that list are, but the vast majority is pure fact.

I have been coming here a long time, years and years before dailytech even existed, and yes, the quality of DT has lowered, but I still enjoy the news and see no reason to change. Sounds like you really don't like it and are vising the wrong site. Don't let the door hit ya.


RE: Sigh...here we go again
By KoolAidMan1 on 3/25/2013 6:16:37 AM , Rating: 2
Its a lot of opinion when it comes down to it. I put up with Android for years and got tired of waiting for its numerous problems to get fixed. Your list of features that can be found in the cheapest devices isn't convincing, and for me it isn't worth the tradeoffs. You either don't really use your phone very much or you have very low standards.

I've been coming to AT since 1999, pretty old school. You don't need to be here long though to see that AT is extremely balanced while DT isn't. Of course you see no reason for DT to change, you eat it all up while pretending to be disappointed in an attempt to look fair.

You are right that I am visiting the wrong site. Maybe AT will remove it from the sidebar someday.


RE: Sigh...here we go again
By retrospooty on 3/25/2013 8:20:10 AM , Rating: 2
I meant I saw no reason for me to change sites, I visit through Anandtech as well. I agree DT has gone downhill and has pretty much become the tech equivalent of tabloid journalism... But much of the news is still news.


"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki