or Connect
AppleInsider › Forums › Mobile › iCloud › New security hole allows for Apple ID password reset using Apple's iForgot page [u]
New Posts  All Forums:Forum Nav:

New security hole allows for Apple ID password reset using Apple's iForgot page [u]

post #1 of 24
Thread Starter 
Just a day after Apple tightened account security by introducing two-step verification, yet another vulnerability has been exposed, one that could allow for malicious users to reset the Apple ID and iCloud passwords of others using only an email address and date of birth.

Update: Apple has pulled the "iForgot" webpage down for maintenance following reports of the vulnerability.

j'ai oublie


The new vulnerability was posted to a website and allows for password resets using Apple's iForgot page, The Verge reported on Friday. Citing security concerns, the publication did not link to the page detailing the exploit, but the tech news site says that it has confirmed the security hole firsthand.

The exploit requires knowledge of both the date of birth and email address associated with an Apple ID. While the report on the vulnerability does not detail the process, it involves a malicious user pasting in a modified URL while answering the DOB security question on the iForgot page. Doing so allows for the resetting of a password, possibly giving another user access to the whole of an Apple ID account.

News of the exploit comes just the day after Apple enabled two-step verification for Apple IDs. Upon enabling the enhanced security feature, users can receive verification codes on their mobile devices, either through the Find My iPhone app or by text message. Those security codes are then used as a second verification method when making changes to an Apple ID account.
post #2 of 24

"Shut the company down and give the money back to the shareholders." 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #3 of 24

Let me guess, you have to take out the SIM card while unplugging the printer (has to be an HP printer that can't AirPlay) during an iTunes reencode of audio while Safari is downloading a .RAR file (not .ZIP).

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #4 of 24
Geez. . .1hmm.gif

Is mobile security just a fairytale? One hole closes and another one opens. I don't know if Apple/Google/MS can move fast enough to fill every hole as fast as they're found. There's gotta be a better way.

EDIT: From MacRumors
"Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed."

Easy enough for those that read about it.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #5 of 24
My guess is that its going to turn out that it only works in those folks that keep skipping to add security questions to their account, haven't turned in two step etc.

In other words, those that give a damn about their security will be fine

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #6 of 24
This is a web site issue not iOS.
post #7 of 24
Quote:
Originally Posted by Tallest Skil View Post

Let me guess, you have to take out the SIM card while unplugging the printer (has to be an HP printer that can't AirPlay) during an iTunes reencode of audio while Safari is downloading a .RAR file (not .ZIP).
I'm sure it's just a generic GET URL that takes you to the password change screen. This shouldn't be a hard bug to patch up. Will probably be fixed by tonight
post #8 of 24
Quote:
Originally Posted by gwmac View Post

Looks like we might be using 6.1.8 before iOS 7 is released at this rate.

What the hell does this have to do with iOS? 1oyvey.gif

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #9 of 24

...any fanboy of anything is like that. I certainly feel the same way as an Apple fan.  One chink in the armor and the stock's trading $10 down and my mom's telling me that Apple's not doing so good and has some security issue she read about on the yahoo homepage (i didn't know yahoo had a homepage either, ;) ).  The point is, fans like to depreciate the competitors for absolutely anything. The media loves to over-hype it because us phone-tech nerds have a hungry appetite for rumors/news, so everything is sensationalized.  We use these little things to keep a never-ending tally of who's innovative ding-dong is longer.  Blah blah blah.  It feels very old.  Honestly: I'm a fan, i come on here to read rumors I care about.  I do not care about the fictional (mostly) drama between these companies, the real drama between the fans, or the writers of these articles who keep the drama-pot stirring.  Please find a fan site that you are cohesive with :)

post #10 of 24

I'm safe. I was born in the future, so the ne'er do wells will never guess my b-day.

post #11 of 24

Account verification should NEVER rely on anything as simple as a date, or something someone might have on FB (best friend's name, favorite anything, etc.).

I'm still surprised they only use 4 digits for the phone's passcode.

post #12 of 24
Seems to me that those in the know got in the huff so made it live on the web. It just might have been there for a few years.
post #13 of 24
Originally Posted by Eriamjh View Post
I'm still surprised they only use 4 digits for the phone's passcode.

 

Maybe you'd be more surprised to learn that the "still" doesn't apply. (has it ever?)

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #14 of 24
Embarrassing.
post #15 of 24
Am I the only one who has never used their actual birthdate (or accurate security code answers, like mother's maiden name)?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #16 of 24
Quote:
Originally Posted by Eriamjh View Post

I'm still surprised they only use 4 digits for the phone's passcode.

Why? It's 10,000 combinations, it has timeouts by default for too many failed attempts, you can make erase the phone if need be, and can turn off the simple password option.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #17 of 24
Quote:
Originally Posted by SolipsismX View Post

Am I the only one who has never used their actual birthdate (or accurate security code answers, like mother's maiden name)?

The problem is that there are so many sites that all have different rules. combination of letters and numbers. Some require some upper case. Others require symbols. Some won't allow common words. It gets to the point that you have to either start writing things down (which is terrible from a security standpoint) or rely on the 'send me my password' option. If you start using fake birth dates or names for that, then you have to remember all of the fake information. The whole thing is out of control. I can't wait until they allow fingerprint ID to sign in.

Either that, or shoot malware authors and identity thieves.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #18 of 24
Quote:
Originally Posted by jragosta View Post

The problem is that there are so many sites that all have different rules. combination of letters and numbers. Some require some upper case. Others require symbols. Some won't allow common words. It gets to the point that you have to either start writing things down (which is terrible from a security standpoint) or rely on the 'send me my password' option. If you start using fake birth dates or names for that, then you have to remember all of the fake information. The whole thing is out of control. I can't wait until they allow fingerprint ID to sign in.

Either that, or shoot malware authors and identity thieves.

Every single account I have is unique. It's all saved and protected with 1Password. Sure, I'm putting my trust in one thing but better than putting my trust in a small handful of passwords and personal data that I use across everything. The only passwords I know by heart are 1Password password (of course), my iTS/iCloud password (in case I need to use Find My iPhone), home WiFi, Mac logins, and Home Sharing. I think that's it. Everything else is a complex and random strong of characters.
Edited by SolipsismX - 3/22/13 at 5:45pm

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #19 of 24
Wow they really should tighten up security. Why do they still fail on web services?
post #20 of 24
Quote:
Originally Posted by SolipsismX View Post

Why? It's 10,000 combinations, it has timeouts by default for too many failed attempts, you can make erase the phone if need be, and can turn off the simple password option.
There are a few products on the security/forensic market that can brute force a 4 digit pass code and bypass the 10 attempts rule. With a new pass attempt every 80 milliseconds they should be able to get the code in 18 to 20 minutes. This is by connecting their cracker to the phone (the pass code is entangled with the UDID so taking a copy of the phone and attempting to hack the image on a desktop won't work).

If you change to a complex password you should be fine and the AES encryption will keep you safe. The protocols Apple have put in place since the A5 chip are pretty impressive, but as with all things you need a decent password.

Really the 4 digit code is to stop friends/taxi drivers from getting into your phone, anything more you need a complex password. One benefit is that turning on even a simple pass code turns on data protection so that will help a lot.
The 3GS and 4 are pretty hackable though- good reason to upgrade!
..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
post #21 of 24
Likely now that Apple are going to allow you to buy 'Tangible goods' with an NFC competitor. Obviously before this iTunes two-step change convenience mattered more.
post #22 of 24
How about updating your headline to show that Apple fixed this immediately?
post #23 of 24
Quote:
Originally Posted by lostkiwi View Post

There are a few products on the security/forensic market that can brute force a 4 digit pass code and bypass the 10 attempts rule. With a new pass attempt every 80 milliseconds they should be able to get the code in 18 to 20 minutes. This is by connecting their cracker to the phone (the pass code is entangled with the UDID so taking a copy of the phone and attempting to hack the image on a desktop won't work).

If you change to a complex password you should be fine and the AES encryption will keep you safe. The protocols Apple have put in place since the A5 chip are pretty impressive, but as with all things you need a decent password.

Really the 4 digit code is to stop friends/taxi drivers from getting into your phone, anything more you need a complex password. One benefit is that turning on even a simple pass code turns on data protection so that will help a lot.
The 3GS and 4 are pretty hackable though- good reason to upgrade!

How does this get past the 1 minute wait period for failed attempts? How does this get past the erasing of the contents after its attempted 10x?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #24 of 24

Well, I don't work for any of the respective companies but I do know they have specialised software which can bypass the password attempt restriction if they are connected to the phone directly.  If you are interested, look up these companies:

 

XRY (Sweden)

Elcomsoft (Russia)

Cellebrite/UFED (Israel)

 

I believe Cellebrite is the company used by most LEOs stateside, but in the UK there is a home grown sec company called Radio Tactics.  They use a different approach where officers load up the SIM into their specific handset and get subscriber info off that.  It is a lot easier with all the non iPhones as they store a lot more data on the SIM.  However, even if all they had was the subscriber information they can use that to get the persons details from the carrier and get all of the normal texts and calls made over the network sent to them for analysis, meaning they won't need access to the encrypted phone anyways.  There is quite a scary article about it on the beeb here.

..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iCloud
  • New security hole allows for Apple ID password reset using Apple's iForgot page [u]
AppleInsider › Forums › Mobile › iCloud › New security hole allows for Apple ID password reset using Apple's iForgot page [u]