backtop


Print

All that's needed to reset a password is a user's AppleID, date of birth, and email

Apple, Inc. (AAPL), a company infamous for weak security and brazen arrogance regarding its safety, has been in the spotlight for the wrong reasons of late.  Its policies last year allowed a huge hack on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.  

The hack caused Apple to embark on a series of security changes, which made it harder for remote users to retrieve a password that possibly wasn't theirs.  The latest step was to install two-step verification, a new process that sends a code to your device.

Apple began rolling out the new two-step authentication (FAQ) for users' Apple IDs this week.  Users can go here to apply.

Apple two step
Apple's 2-step ID verification.

But unfortunately Apple's own "iForgot" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation.  All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).  

If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.

AppleID
Step 1: Use the first and last name, plus past addresses to recover the AppleId.

AppleID
Step 2: Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]

The exploit was first reported/validated on by The Verge.  9 to 5 Mac went live with the above description of the exploit, pointing curious folks on where to go to try it out.

In an update The Verge reveals more bad news.  The site's Chris Welch writes:

Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.

Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (FB).

Sources: Apple, 9 to 5 Mac, The Verge





"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot






Most Popular ArticlesSuper Hi- Vision Will Amaze the World
January 16, 2017, 9:53 AM
Samsung Chromebook Plus – Coming in February 2017
January 17, 2017, 12:01 AM
Samsung 2017 Handset’s Updates
January 17, 2017, 12:01 AM
Teclast Tbook X5 Pro - Coming January 23
January 16, 2017, 9:21 AM
Gionee Marathon M5 Plus – China’s Flagship Smartphone
January 15, 2017, 2:02 AM

Latest Blog Posts
Some new News
Saimin Nidarson - Jan 23, 2017, 8:59 AM
What is new?
Saimin Nidarson - Jan 22, 2017, 7:00 AM
News
Saimin Nidarson - Jan 20, 2017, 7:00 AM
News of the World
Saimin Nidarson - Jan 19, 2017, 7:00 AM
Some tips
Saimin Nidarson - Jan 17, 2017, 12:16 AM
News of the Day
DailyTech Staff - Jan 16, 2017, 12:10 PM
Tech News
Saimin Nidarson - Jan 15, 2017, 12:32 AM
Here is Some News
Saimin Nidarson - Jan 14, 2017, 12:39 AM
News around the world
Saimin Nidarson - Jan 12, 2017, 12:01 AM
Rumors and Announcements
Saimin Nidarson - Jan 11, 2017, 12:01 AM
Some news of Day
Saimin Nidarson - Jan 7, 2017, 12:01 AM
News 2017 CES
Saimin Nidarson - Jan 6, 2017, 12:01 AM






botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki