Exploit Allows Users to Continue to Compromise Apple Users' Passwords
March 22, 2013 3:32 PM
comment(s) - last by
All that's needed to reset a password is a user's AppleID, date of birth, and email
Apple, Inc. (
), a company
infamous for weak security
brazen arrogance regarding its safety
, has been in the spotlight for the wrong reasons of late. Its policies last year allowed
a huge hack
on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.
The hack caused Apple to embark on
a series of security changes
, which made it harder for remote users to retrieve a password that possibly wasn't theirs. The latest step was to install two-step verification, a new process that sends a code to your device.
Apple began rolling out the new two-step authentication (
users' Apple IDs
this week. Users can
Apple's 2-step ID verification.
But unfortunately Apple's own "
" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation. All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).
If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.
Use the first and last name, plus past addresses to recover the AppleId.
Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]
The exploit was
9 to 5 Mac
with the above description of the exploit, pointing curious folks on where to go to try it out.
In an update
reveals more bad news. The site's Chris Welch writes:
Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.
Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (
9 to 5 Mac
This article is over a month old, voting and posting comments is disabled
RE: Sigh...here we go again
3/25/2013 6:16:37 AM
Its a lot of opinion when it comes down to it. I put up with Android for years and got tired of waiting for its numerous problems to get fixed. Your list of features that can be found in the cheapest devices isn't convincing, and for me it isn't worth the tradeoffs. You either don't really use your phone very much or you have very low standards.
I've been coming to AT since 1999, pretty old school. You don't need to be here long though to see that AT is extremely balanced while DT isn't. Of course you see no reason for DT to change, you eat it all up while pretending to be disappointed in an attempt to look fair.
You are right that I am visiting the wrong site. Maybe AT will remove it from the sidebar someday.
RE: Sigh...here we go again
3/25/2013 8:20:10 AM
I meant I saw no reason for me to change sites, I visit through Anandtech as well. I agree DT has gone downhill and has pretty much become the tech equivalent of tabloid journalism... But much of the news is still news.
"The Space Elevator will be built about 50 years after everyone stops laughing" -- Sir Arthur C. Clarke
Apple, Amazon Change Security Policies After Hack Attack on Journalist
August 8, 2012, 12:00 PM
Apple, Amazon's Weak Security Allows Huge Hack of Gizmodo Reporter
August 7, 2012, 12:28 PM
Apple to Update iTunes with iCloud Integration, Music Sharing
June 28, 2012, 5:07 PM
Kaspersky Labs: Apple's Security 10 Years Behind Microsoft
April 26, 2012, 7:39 AM
Mac Gets The Girl In New Anti-Microsoft Ad
May 13, 2009, 9:33 AM
Chromebooks Expected to See Sales Grow 26 Percent to 7.3 Million Units This Year
May 22, 2015, 1:26 PM
Apple Finally Updates 15" MacBook Pro w/ Force Touch; 5K iMac Gets Price Cut
May 20, 2015, 1:45 PM
LG G4's International Rollout Begins; Pint-Sized G4c, High-End G4 Stylus Trot Out
May 19, 2015, 12:54 AM
President Obama Posts His First "Personal" Tweet to Twitter Via an iPhone
May 18, 2015, 4:38 PM
Microsoft Bricks the Xbox Ones of Gears of War Testers Responsible for Leaks
May 14, 2015, 5:26 PM
Windows 10 Mobile Build 10080 is Available for New Phones, Brings Office Preview
May 14, 2015, 2:53 PM
Most Popular Articles
America's Largest Cable Company, Comcast, Sees Internet Subscriptions Pass TV
May 4, 2015, 2:46 PM
Can id Software's Doom Find Its Way Out of a 7+ Year Development Hell?
May 19, 2015, 7:38 PM
Oculus Rift Confirms "Pause" in OS X, Linux Development, Some Devs are Mad
May 18, 2015, 11:36 PM
Oculus Rift and Compatible Gaming Rig Will Likely Cost $1,000 or More
May 15, 2015, 3:50 PM
Seagate Senior Researcher: Heat Can Kill Data on Stored SSDs
May 13, 2015, 2:49 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information