New security hole allows for Apple ID password reset using Apple's iForgot page [u]

Posted:
in iCloud edited January 2014
Just a day after Apple tightened account security by introducing two-step verification, yet another vulnerability has been exposed, one that could allow for malicious users to reset the Apple ID and iCloud passwords of others using only an email address and date of birth.

Update: Apple has pulled the "iForgot" webpage down for maintenance following reports of the vulnerability.

j'ai oublie


The new vulnerability was posted to a website and allows for password resets using Apple's iForgot page, The Verge reported on Friday. Citing security concerns, the publication did not link to the page detailing the exploit, but the tech news site says that it has confirmed the security hole firsthand.

The exploit requires knowledge of both the date of birth and email address associated with an Apple ID. While the report on the vulnerability does not detail the process, it involves a malicious user pasting in a modified URL while answering the DOB security question on the iForgot page. Doing so allows for the resetting of a password, possibly giving another user access to the whole of an Apple ID account.

News of the exploit comes just the day after Apple enabled two-step verification for Apple IDs. Upon enabling the enhanced security feature, users can receive verification codes on their mobile devices, either through the Find My iPhone app or by text message. Those security codes are then used as a second verification method when making changes to an Apple ID account.
«1

Comments

  • Reply 1 of 26
    gwmacgwmac Posts: 1,807member
    Looks like we might be using 6.1.8 before iOS 7 is released at this rate.
  • Reply 2 of 26
    mstonemstone Posts: 11,510member


    "Shut the company down and give the money back to the shareholders." 

  • Reply 3 of 26
    tallest skiltallest skil Posts: 43,388member


    Let me guess, you have to take out the SIM card while unplugging the printer (has to be an HP printer that can't AirPlay) during an iTunes reencode of audio while Safari is downloading a .RAR file (not .ZIP).

  • Reply 4 of 26
    gatorguygatorguy Posts: 24,176member
    Geez. . .:\

    Is mobile security just a fairytale? One hole closes and another one opens. I don't know if Apple/Google/MS can move fast enough to fill every hole as fast as they're found. There's gotta be a better way.

    EDIT: From MacRumors
    "Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed."

    Easy enough for those that read about it.
  • Reply 5 of 26
    charlitunacharlituna Posts: 7,217member
    My guess is that its going to turn out that it only works in those folks that keep skipping to add security questions to their account, haven't turned in two step etc.

    In other words, those that give a damn about their security will be fine
  • Reply 6 of 26
    This is a web site issue not iOS.
  • Reply 7 of 26
    Let me guess, you have to take out the SIM card while unplugging the printer (has to be an HP printer that can't AirPlay) during an iTunes reencode of audio while Safari is downloading a .RAR file (not .ZIP).
    I'm sure it's just a generic GET URL that takes you to the password change screen. This shouldn't be a hard bug to patch up. Will probably be fixed by tonight
  • Reply 8 of 26
    solipsismxsolipsismx Posts: 19,566member
    gwmac wrote: »
    Looks like we might be using 6.1.8 before iOS 7 is released at this rate.

    What the hell does this have to do with iOS? :no:
  • Reply 9 of 26
    nizzardnizzard Posts: 58member


    I just love how this is no big deal to apple fan boys...however, if it was google or samsung affected by this flaw...HOLY SH*T WATCH OUT

  • Reply 10 of 26


    ...any fanboy of anything is like that. I certainly feel the same way as an Apple fan.  One chink in the armor and the stock's trading $10 down and my mom's telling me that Apple's not doing so good and has some security issue she read about on the yahoo homepage (i didn't know yahoo had a homepage either, ;) ).  The point is, fans like to depreciate the competitors for absolutely anything. The media loves to over-hype it because us phone-tech nerds have a hungry appetite for rumors/news, so everything is sensationalized.  We use these little things to keep a never-ending tally of who's innovative ding-dong is longer.  Blah blah blah.  It feels very old.  Honestly: I'm a fan, i come on here to read rumors I care about.  I do not care about the fictional (mostly) drama between these companies, the real drama between the fans, or the writers of these articles who keep the drama-pot stirring.  Please find a fan site that you are cohesive with :)

  • Reply 11 of 26
    jollypauljollypaul Posts: 328member


    I'm safe. I was born in the future, so the ne'er do wells will never guess my b-day.

  • Reply 12 of 26
    jollypauljollypaul Posts: 328member

    Quote:

    Originally Posted by NIZZARD View Post


    I just love how this is no big deal to apple fan boys...however, if it was google or samsung affected by this flaw...HOLY SH*T WATCH OUT



     


    You sound as whiney as an Apple fanboy. I guess you subscribe to a different religion.

  • Reply 13 of 26
    eriamjheriamjh Posts: 1,630member


    Account verification should NEVER rely on anything as simple as a date, or something someone might have on FB (best friend's name, favorite anything, etc.).


    I'm still surprised they only use 4 digits for the phone's passcode.

  • Reply 14 of 26
    Seems to me that those in the know got in the huff so made it live on the web.

    It just might have been there for a few years.
  • Reply 15 of 26
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by Eriamjh View Post

    I'm still surprised they only use 4 digits for the phone's passcode.


     


    Maybe you'd be more surprised to learn that the "still" doesn't apply. (has it ever?)

  • Reply 16 of 26
    Embarrassing.
  • Reply 17 of 26
    solipsismxsolipsismx Posts: 19,566member
    Am I the only one who has never used their actual birthdate (or accurate security code answers, like mother's maiden name)?
  • Reply 18 of 26
    solipsismxsolipsismx Posts: 19,566member
    eriamjh wrote: »
    I'm still surprised they only use 4 digits for the phone's passcode.

    Why? It's 10,000 combinations, it has timeouts by default for too many failed attempts, you can make erase the phone if need be, and can turn off the simple password option.
  • Reply 19 of 26
    jragostajragosta Posts: 10,473member
    solipsismx wrote: »
    Am I the only one who has never used their actual birthdate (or accurate security code answers, like mother's maiden name)?

    The problem is that there are so many sites that all have different rules. combination of letters and numbers. Some require some upper case. Others require symbols. Some won't allow common words. It gets to the point that you have to either start writing things down (which is terrible from a security standpoint) or rely on the 'send me my password' option. If you start using fake birth dates or names for that, then you have to remember all of the fake information. The whole thing is out of control. I can't wait until they allow fingerprint ID to sign in.

    Either that, or shoot malware authors and identity thieves.
  • Reply 20 of 26
    solipsismxsolipsismx Posts: 19,566member
    jragosta wrote: »
    The problem is that there are so many sites that all have different rules. combination of letters and numbers. Some require some upper case. Others require symbols. Some won't allow common words. It gets to the point that you have to either start writing things down (which is terrible from a security standpoint) or rely on the 'send me my password' option. If you start using fake birth dates or names for that, then you have to remember all of the fake information. The whole thing is out of control. I can't wait until they allow fingerprint ID to sign in.

    Either that, or shoot malware authors and identity thieves.

    Every single account I have is unique. It's all saved and protected with 1Password. Sure, I'm putting my trust in one thing but better than putting my trust in a small handful of passwords and personal data that I use across everything. The only passwords I know by heart are 1Password password (of course), my iTS/iCloud password (in case I need to use Find My iPhone), home WiFi, Mac logins, and Home Sharing. I think that's it. Everything else is a complex and random strong of characters.
Sign In or Register to comment.