Exploit Allows Users to Continue to Compromise Apple Users' Passwords
March 22, 2013 3:32 PM
comment(s) - last by
All that's needed to reset a password is a user's AppleID, date of birth, and email
Apple, Inc. (
), a company
infamous for weak security
brazen arrogance regarding its safety
, has been in the spotlight for the wrong reasons of late. Its policies last year allowed
a huge hack
on Gizmodo blogger and prize-winning journalist Mat Honan, whose Apple accounts were compromised via lax password recovery features.
The hack caused Apple to embark on
a series of security changes
, which made it harder for remote users to retrieve a password that possibly wasn't theirs. The latest step was to install two-step verification, a new process that sends a code to your device.
Apple began rolling out the new two-step authentication (
users' Apple IDs
this week. Users can
Apple's 2-step ID verification.
But unfortunately Apple's own "
" tool remains online, which allows you to reset a user's password that hasn't upgraded to enable two-step validation. All that is needed is a user's Apple ID, email, and date of birth (the Apple ID arguably being the hardest to obtain, but potentially gained through phishing or other methods).
If you have a list of a person's past addresses (freely available via a variety of private investigator databases), you can get a user's Apple ID via a secondary recovery form on the page.
Use the first and last name, plus past addresses to recover the AppleId.
Use the email, recovered AppleID, and birth date to reset the password.
[Image Source: 9 to 5 Mac]
The exploit was
9 to 5 Mac
with the above description of the exploit, pointing curious folks on where to go to try it out.
In an update
reveals more bad news. The site's Chris Welch writes:
Yesterday a number of users were told they'd need to wait three days before enabling two-step verification. As a result, these accounts are fully vulnerable to the exploit. As of right now, the only surefire way these individuals can avoid the security threat is by change their birthdate on Apple's account settings page.
Changing your birthdate to a fake date would stymie users who snagged your birthdate from various public databases or social media sites like Facebook, Inc. (
9 to 5 Mac
This article is over a month old, voting and posting comments is disabled
RE: Sigh...here we go again
3/25/2013 8:20:10 AM
I meant I saw no reason for me to change sites, I visit through Anandtech as well. I agree DT has gone downhill and has pretty much become the tech equivalent of tabloid journalism... But much of the news is still news.
"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer
Apple, Amazon Change Security Policies After Hack Attack on Journalist
August 8, 2012, 12:00 PM
Apple, Amazon's Weak Security Allows Huge Hack of Gizmodo Reporter
August 7, 2012, 12:28 PM
Apple to Update iTunes with iCloud Integration, Music Sharing
June 28, 2012, 5:07 PM
Kaspersky Labs: Apple's Security 10 Years Behind Microsoft
April 26, 2012, 7:39 AM
Mac Gets The Girl In New Anti-Microsoft Ad
May 13, 2009, 9:33 AM
Google Testing Smart Thermostat in St. Louis
December 17, 2013, 11:43 AM
Microsoft Wins "Synchronized Calendar" Patent Case Against Motorola Mobility
December 17, 2013, 11:23 AM
President Barack Obama Meeting with Tech Leaders to Discuss HealthCare.gov, NSA
December 17, 2013, 10:59 AM
Quick Note: E-Waste to Increase by One-Third by 2017, U.S. Leads in E-Waste Output
December 16, 2013, 12:20 PM
Amazon Announces No Interest, Kindle Fire HDX Payment Plan
December 16, 2013, 10:35 AM
Google Removes "App Ops" Privacy Control Feature from Android 4.4.2
December 16, 2013, 9:29 AM
Most Popular Articles
Report: Windows 8.2 Revives Start Menu, Runs Metro Apps in Desktop Mode
December 10, 2013, 2:56 PM
Chinese Media Puts Positive Spin on Its Smog Problem, Touts 5 "Benefits"
December 11, 2013, 12:39 PM
China's Lunar Rover Enters Orbit, Prepares for Historic Sat. Landing
December 13, 2013, 5:00 PM
The History of Normandy: How Nokia Plotted a Low-End Android Line
December 11, 2013, 8:12 PM
Metro-Enabled Firefox Browser Expected to Land After Two Years of Work
December 12, 2013, 5:21 PM
Latest Blog Posts
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
Global Cyber Espionage Concerns Reveal Growing Cyber Armies
Nov 29, 2013, 11:04 AM
Is The Period Becoming an Expression of Anger?
Nov 26, 2013, 2:02 PM
NSA and Congress -- You Will Never Kill the Constitution, It's an Idea
Nov 10, 2013, 2:00 PM
AT&T Explores $100B+ USD Deal to Acquire Vodafone's European Operations
Nov 4, 2013, 7:34 AM
More Blog Posts
Copyright 2013 DailyTech LLC. -
Terms, Conditions & Privacy Information