or Connect
AppleInsider › Forums › General › General Discussion › Apple working on fix for Apple ID password security hole [update: fixed]
New Posts  All Forums:Forum Nav:

Apple working on fix for Apple ID password security hole [update: fixed]

post #1 of 22
Thread Starter 
Hours after a security exploit was discovered regarding the resetting of Apple ID passwords, the company has acknowledged the issue and said it is actively working on a fix.

Update: As of 7 p.m. Pacific, Apple's iForgot webpage and related services are back online.

Status


The vulnerability, exposed earlier on Friday, allows malicious users to reset the Apple ID and iCloud passwords of others using only the victim's email address and date of birth. The bug essentially grants unlimited access to every Apple service associated with their Apple ID, including iTunes accounts, e-mail, and synced iCloud data.

After the discovery, Apple subsequently took down the iForgot password reset page "for maintenance," and updated the iCloud System Status webpage to inform users of the issue.

In a statement to The Verge the company said, "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix."

Apple did not say when it expects the issue to be resolved.
post #2 of 22

Apple's security people seem to have very quick reactions these days. That new malware browser plugin has already been added to Xprotect too.

post #3 of 22
Quote:
Originally Posted by ascii View Post

Apple's security people seem to have very quick reactions these days. That new malware browser plugin has already been added to Xprotect too.

They are certainly on top of holes more quickly than other companies and it's likely that the number of exploits is because of Apple's excessive mindshare, but I can't hype but wonder if many of them should not have happened in the first place.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #4 of 22
1. but how to reset your pw now, while they're fixing it?

2. never, ever, associate your email with your b-day, or anything else for that matter. Also, never use a password for two different services or companies. In fact, use a unique email address for any specific purpose; easy to delete when not used anymore. And easy to defeat spam.
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #5 of 22
Quote:
Originally Posted by PhilBoogie View Post

1. but how to reset your pw now, while they're fixing it?

Good question.
Quote:
2. never, ever, associate your email with your b-day, or anything else for that matter. Also, never use a password for two different services or companies. In fact, use a unique email address for any specific purpose; easy to delete when not used anymore. And easy to defeat spam.

Even if you trust the company you're giving it to there are still possible gaps that can be exploited by a company that is completely on the up and up. Somethings they aren't coding issues that can be circumvented like this current issue or a hacker gaining access to a server, but an employee or even pulling the info over an unsecured WiFi hotspot.


Lass Pass is certainly less expensive but it's not as nice and since it's server-based it does offer a potential security risk if hacked. Still, I'd use Lass Pass over nothing.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #6 of 22
Quote:
Originally Posted by SolipsismX View Post


They are certainly on top of holes more quickly than other companies and it's likely that the number of exploits is because of Apple's excessive mindshare, but I can't hype but wonder if many of them should not have happened in the first place.

It's very difficult to test every conceivable way to hack into an OS before a company releases a new OS version.  It doesn't matter if it's Apple, Microsoft, etc.  The thing that is most important and getting them fixed as quickly as possible and having as little potential way to hack them in the first place.  When the Android device mfg released the NFC chip, there was a hack that surfaced fairly soon afterwards.  Maybe that might be a reason why Apple didn't want to just stick a NFC chip inside since that exploit surfaced I think just before the iPhone 5 was released, so Apple probably thought it might be worthwhile waiting, plus there's also the business need has to be there as well.

 

Either way, the benefit of iOS is that when they release an update, we all get it immediately, and there is always a lot of visibility for them to fix major problems.  Android, on the other hand, is FAR more difficult to get every mfg and model to get an update, which is why I personally won't even consider the Android platform.  Microsoft does an OK job, but they've not done very well in the past with previous versions of Windows for the desktop, which is one of the reasons why I stick with OS X.

post #7 of 22
Update in Windows 8 is totally seamless and automatic.
post #8 of 22
Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #9 of 22
Seems Odd Apple doesn't verify IP of user to acknowledge access.

I don't use iCoud, keeping it low profile with older gear at 10.6.8.
Suspect I'll be forced to upgrade eventually.

If I wanted to use a cloud - I'd use RackSpace - some testing done - looks solid.

iCloud - or iCould - used for low profile data only.

I'm sure it gets resolved.

Some Stuff Related, PC to Apple 2005

Reply

Some Stuff Related, PC to Apple 2005

Reply
post #10 of 22
Quote:
Originally Posted by SolipsismX View Post

Lass Pass is certainly less expensive but it's not as nice and since it's server-based it does offer a potential security risk if hacked. Still, I'd use Lass Pass over nothing.

My understanding is that both are equally secure. LastPass encrypts/decrypts the data on the device with keys unique to that device that stay on the device. Data on the server cannot be accessed even by the operators of LastPass because they have no access to the keys. I will admit that the 1Password interface is much, much nicer.

 

Quote:
Originally Posted by Philscbx View Post

Seems Odd Apple doesn't verify IP of user to acknowledge access.

Probably because IPs can be spoofed easily enough.

"You can't fall off the floor"   From 128k Mac to 8GB MBP

Reply

"You can't fall off the floor"   From 128k Mac to 8GB MBP

Reply
post #11 of 22
Quote:
Originally Posted by SolipsismX View Post


Since those sync over the internet I have a difficult time trusting it. I therefore use Bento, the 'standalone' app from FileMaker. Make all changes on my MP, plug in iPhone and iPad, have the app open on all 3 and synchronize. Sounds cumbersome, but it is the safest way I know. And the app asks for a PIN in order to open it. As I don't make dailey changes it works for me.
Quote:
Originally Posted by SolipsismX View Post

Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.

Can't find a story for that. Do know that even after you enable it (or dismiss that popup) it comes back every now and then. I presume because it loses the network connection every now and then. It only happens on my iPad. Plural, actually, but I disabled everything on my Gen1 and use it as a media AirPlayer, to the AppleTV, connected over optical cable to the stereo. But this is all OT, coming from OT.
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #12 of 22
Originally Posted by SolipsismX View Post
Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.

 

There's not even a way to see what devices are using your local AirPort network. I seriously doubt they've given people the option to see what of their devices are using iCloud… 1oyvey.gif

post #13 of 22
Quote:
Originally Posted by Tallest Skil View Post

There's not even a way to see what devices are using your local AirPort network.

Hmm, with Airport Util 6.2 I see the wireless clients, by MAC address and name, if setup properly
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #14 of 22
Quote:
Originally Posted by SolipsismX View Post

Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.

You might want to change your password just to be on the safe side.

post #15 of 22

Does any one remember when Apple didn't have to release os versions to fix such stupid mistakes?

An Apple man since 1977
Reply
An Apple man since 1977
Reply
post #16 of 22
Quote:
Originally Posted by PhilBoogie View Post

Since those sync over the internet I have a difficult time trusting it. I therefore use Bento, the 'standalone' app from FileMaker. Make all changes on my MP, plug in iPhone and iPad, have the app open on all 3 and synchronize. Sounds cumbersome, but it is the safest way I know. And the app asks for a PIN in order to open it. As I don't make dailey changes it works for me.

1Password can sync to other devices directly without using Dropbox, if you wish.
Quote:
Originally Posted by tylerk36 View Post

Does any one remember when Apple didn't have to release os versions to fix such stupid mistakes?

I remember it like it was yesterday… because it was yesterday. No OS update was released to resolve this issue.
Edited by SolipsismX - 3/23/13 at 8:39am

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #17 of 22
Originally Posted by PhilBoogie View Post
Hmm, with Airport Util 6.2 I see the wireless clients, by MAC address and name, if setup properly

 

Yes, but that's it! I see a list of MAC addresses, local IPs, and names. I have no means to set what MAC address corresponds to what computer, I have no means to individually allow or deny said connections… 

 

I can't tell what is what, where, or why.

 

And since switching over to a new AirPort Extreme, I'm under the impression that computers I have explicitly disallowed connecting are somehow still connecting… But there's no way for me to actually check that!

post #18 of 22
Quote:
Originally Posted by SolipsismX View Post

1Password can sync to other devices directly without using Dropbox, if you wish.

I remember it like it was yesterday… because it was yesterday. No OS update was released to resolve this issue.

One thumb for tipping me; I'll take another look @ 1Password. Two thumbs up for your response to tyler36k.
Quote:
Originally Posted by Tallest Skil View Post

...I have no means to individually allow or deny said connections… 

Hmm, I'm on a AE, and there's a tab 'Network' with a button 'Timed Access Control...' and I can config the times, or deny it all. Maybe I'm not understanding your config correctly...
Quote:
And since switching over to a new AirPort Extreme, I'm under the impression that computers I have explicitly disallowed connecting are somehow still connecting… But there's no way for me to actually check that!

That sounds weird. I presume you have gone the IT route, trying out a reset, reinstall, delete and add Macs and all that?
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #19 of 22
Originally Posted by PhilBoogie View Post
Hmm, I'm on a AE, and there's a tab 'Network' with a button 'Timed Access Control...' and I can config the times, or deny it all. Maybe I'm not understanding your config correctly...

 

I mean to say that I'd really like to see it as a live, updating list rather than just in the configuration.


That sounds weird. I presume you have gone the IT route, trying out a reset, reinstall, delete and add Macs and all that?

 

I hope you don't mean of all the OS' on my computers and devices, but rather just the AirPort Extreme. lol.gif

 

And yes. I imagine it's just this stupid new AirPort Utility (since now that I have a device with which it's compatible I can comment on its use) which is, in every respect, completely and utterly unusable. Yes, it added the ability to see a list of the current connections (better than the old one, which wouldn't show you anything of that sort), but what good is that when I can't do anything with them? 

 

Had to use the old one to even set MAC address access control… (EDIT: Now I can both see and add MAC addresses to the list of approved machines via the new AirPort Utility, but I could not before doing it in the old one. 1oyvey.gif

 

If NOTHING else, I'd like the text list comprised of ".local" names, MAC addresses, AND local IPs to be, you know, just the NAMES of the computers and devices involved. I don't have the memory to remember actually important things; I can't be spending hours memorizing the MAC addresses of my devices to know what's on and where, and using that to know when I don't recognize a MAC address, leading me to think there's someone on my network!

post #20 of 22
Quote:
Originally Posted by Tallest Skil View Post

I hope you don't mean of all the OS' on my computers and devices, but rather just the AirPort Extreme. lol.gif

Dear, no, just the Airport software on your Mac. Maybe the firmware on your Airport, if that would help(?)
Quote:
And yes. I imagine it's just this stupid new AirPort Utility (since now that I have a device with which it's compatible I can comment on its use) which is, in every respect, completely and utterly unusable. Yes, it added the ability to see a list of the current connections (better than the old one, which wouldn't show you anything of that sort), but what good is that when I can't do anything with them? 

But the old AirPort Utility 5.6 shows the client names, well, if you enter a description, which helps:


Had to use the old one to even set MAC address access control… (EDIT: Now I can both see and add MAC addresses to the list of approved machines via the new AirPort Utility, but I could not before doing it in the old one. 1oyvey.gif
Yes, you can, it's in the above screen dump.
Quote:
If NOTHING else, I'd like the text list comprised of ".local" names, MAC addresses, AND local IPs to be, you know, just the NAMES of the computers and devices involved. I don't have the memory to remember actually important things; I can't be spending hours memorizing the MAC addresses of my devices to know what's on and where, and using that to know when I don't recognize a MAC address, leading me to think there's someone on my network!

That's an understandable request, and can only hope for Apple to improve on it. Perhaps I should give feedback...

OT: replying to your reply on my post generates that html jibbery:


Bit annoying when typing ones' reply. Can you tip Huddler for improvement on that as well please?
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #21 of 22
Originally Posted by PhilBoogie View Post
Yes, you can, it's in the above screen dump.

 

Yeah, you can add a description there, but THAT AirPort Utility doesn't let you see what is connected to the network, and the OTHER one doesn't SHOW that description.

 

I swear, Apple should NEVER have released AirPort Utility 6 until it was done. It's not even alpha-worthy right now.

post #22 of 22
So, it looks like I am a victim of this. Got a series of emails about my password getting reset and iCloud accessed off of several devices I do not own. I called Apple and changed all of my passwords/ questions/etc (they did not mention this breach). My question for all of you: What now?

What could the "malicious users" get from accessing my iCloud? Pictures, address, last 4 of Credit Card .. etc. And what do you think my next steps should be (what to change to protect myself and what to look out for). Thank you in advance!
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple working on fix for Apple ID password security hole [update: fixed]