Apple working on fix for Apple ID password security hole [update: fixed]
Hours after a security exploit was discovered regarding the resetting of Apple ID passwords, the company has acknowledged the issue and said it is actively working on a fix.
Update: As of 7 p.m. Pacific, Apple's iForgot webpage and related services are back online.
The vulnerability, exposed earlier on Friday, allows malicious users to reset the Apple ID and iCloud passwords of others using only the victim's email address and date of birth. The bug essentially grants unlimited access to every Apple service associated with their Apple ID, including iTunes accounts, e-mail, and synced iCloud data.
After the discovery, Apple subsequently took down the iForgot password reset page "for maintenance," and updated the iCloud System Status webpage to inform users of the issue.
In a statement to The Verge the company said, "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix."
Apple did not say when it expects the issue to be resolved.
Update: As of 7 p.m. Pacific, Apple's iForgot webpage and related services are back online.
The vulnerability, exposed earlier on Friday, allows malicious users to reset the Apple ID and iCloud passwords of others using only the victim's email address and date of birth. The bug essentially grants unlimited access to every Apple service associated with their Apple ID, including iTunes accounts, e-mail, and synced iCloud data.
After the discovery, Apple subsequently took down the iForgot password reset page "for maintenance," and updated the iCloud System Status webpage to inform users of the issue.
In a statement to The Verge the company said, "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix."
Apple did not say when it expects the issue to be resolved.
Comments
Apple's security people seem to have very quick reactions these days. That new malware browser plugin has already been added to Xprotect too.
They are certainly on top of holes more quickly than other companies and it's likely that the number of exploits is because of Apple's excessive mindshare, but I can't hype but wonder if many of them should not have happened in the first place.
2. never, ever, associate your email with your b-day, or anything else for that matter. Also, never use a password for two different services or companies. In fact, use a unique email address for any specific purpose; easy to delete when not used anymore. And easy to defeat spam.
Good question.
Even if you trust the company you're giving it to there are still possible gaps that can be exploited by a company that is completely on the up and up. Somethings they aren't coding issues that can be circumvented like this current issue or a hacker gaining access to a server, but an employee or even pulling the info over an unsecured WiFi hotspot.
Lass Pass is certainly less expensive but it's not as nice and since it's server-based it does offer a potential security risk if hacked. Still, I'd use Lass Pass over nothing.
Quote:
Originally Posted by SolipsismX
They are certainly on top of holes more quickly than other companies and it's likely that the number of exploits is because of Apple's excessive mindshare, but I can't hype but wonder if many of them should not have happened in the first place.
It's very difficult to test every conceivable way to hack into an OS before a company releases a new OS version. It doesn't matter if it's Apple, Microsoft, etc. The thing that is most important and getting them fixed as quickly as possible and having as little potential way to hack them in the first place. When the Android device mfg released the NFC chip, there was a hack that surfaced fairly soon afterwards. Maybe that might be a reason why Apple didn't want to just stick a NFC chip inside since that exploit surfaced I think just before the iPhone 5 was released, so Apple probably thought it might be worthwhile waiting, plus there's also the business need has to be there as well.
Either way, the benefit of iOS is that when they release an update, we all get it immediately, and there is always a lot of visibility for them to fix major problems. Android, on the other hand, is FAR more difficult to get every mfg and model to get an update, which is why I personally won't even consider the Android platform. Microsoft does an OK job, but they've not done very well in the past with previous versions of Windows for the desktop, which is one of the reasons why I stick with OS X.
I don't use iCoud, keeping it low profile with older gear at 10.6.8.
Suspect I'll be forced to upgrade eventually.
If I wanted to use a cloud - I'd use RackSpace - some testing done - looks solid.
iCloud - or iCould - used for low profile data only.
I'm sure it gets resolved.
Quote:
Originally Posted by SolipsismX
Lass Pass is certainly less expensive but it's not as nice and since it's server-based it does offer a potential security risk if hacked. Still, I'd use Lass Pass over nothing.
My understanding is that both are equally secure. LastPass encrypts/decrypts the data on the device with keys unique to that device that stay on the device. Data on the server cannot be accessed even by the operators of LastPass because they have no access to the keys. I will admit that the 1Password interface is much, much nicer.
Quote:
Originally Posted by Philscbx
Seems Odd Apple doesn't verify IP of user to acknowledge access.
Probably because IPs can be spoofed easily enough.
Since those sync over the internet I have a difficult time trusting it. I therefore use Bento, the 'standalone' app from FileMaker. Make all changes on my MP, plug in iPhone and iPad, have the app open on all 3 and synchronize. Sounds cumbersome, but it is the safest way I know. And the app asks for a PIN in order to open it. As I don't make dailey changes it works for me.
Can't find a story for that. Do know that even after you enable it (or dismiss that popup) it comes back every now and then. I presume because it loses the network connection every now and then. It only happens on my iPad. Plural, actually, but I disabled everything on my Gen1 and use it as a media AirPlayer, to the AppleTV, connected over optical cable to the stereo. But this is all OT, coming from OT.
Originally Posted by SolipsismX
Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.
There's not even a way to see what devices are using your local AirPort network. I seriously doubt they've given people the option to see what of their devices are using iCloud…
Hmm, with Airport Util 6.2 I see the wireless clients, by MAC address and name, if setup properly
Quote:
Originally Posted by SolipsismX
Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.
You might want to change your password just to be on the safe side.
Does any one remember when Apple didn't have to release os versions to fix such stupid mistakes?
1Password can sync to other devices directly without using Dropbox, if you wish.
I remember it like it was yesterday… because it was yesterday. No OS update was released to resolve this issue.
Originally Posted by PhilBoogie
Hmm, with Airport Util 6.2 I see the wireless clients, by MAC address and name, if setup properly
Yes, but that's it! I see a list of MAC addresses, local IPs, and names. I have no means to set what MAC address corresponds to what computer, I have no means to individually allow or deny said connections…
I can't tell what is what, where, or why.
And since switching over to a new AirPort Extreme, I'm under the impression that computers I have explicitly disallowed connecting are somehow still connecting… But there's no way for me to actually check that!
One thumb for tipping me; I'll take another look @ 1Password. Two thumbs up for your response to tyler36k.
Hmm, I'm on a AE, and there's a tab 'Network' with a button 'Timed Access Control...' and I can config the times, or deny it all. Maybe I'm not understanding your config correctly...
That sounds weird. I presume you have gone the IT route, trying out a reset, reinstall, delete and add Macs and all that?
Originally Posted by PhilBoogie
Hmm, I'm on a AE, and there's a tab 'Network' with a button 'Timed Access Control...' and I can config the times, or deny it all. Maybe I'm not understanding your config correctly...
I mean to say that I'd really like to see it as a live, updating list rather than just in the configuration.
That sounds weird. I presume you have gone the IT route, trying out a reset, reinstall, delete and add Macs and all that?
I hope you don't mean of all the OS' on my computers and devices, but rather just the AirPort Extreme.
And yes. I imagine it's just this stupid new AirPort Utility (since now that I have a device with which it's compatible I can comment on its use) which is, in every respect, completely and utterly unusable. Yes, it added the ability to see a list of the current connections (better than the old one, which wouldn't show you anything of that sort), but what good is that when I can't do anything with them?
Had to use the old one to even set MAC address access control… (EDIT: Now I can both see and add MAC addresses to the list of approved machines via the new AirPort Utility, but I could not before doing it in the old one.
If NOTHING else, I'd like the text list comprised of ".local" names, MAC addresses, AND local IPs to be, you know, just the NAMES of the computers and devices involved. I don't have the memory to remember actually important things; I can't be spending hours memorizing the MAC addresses of my devices to know what's on and where, and using that to know when I don't recognize a MAC address, leading me to think there's someone on my network!
Dear, no, just the Airport software on your Mac. Maybe the firmware on your Airport, if that would help(?)
Yes, you can, it's in the above screen dump.
That's an understandable request, and can only hope for Apple to improve on it. Perhaps I should give feedback...
OT: replying to your reply on my post generates that html jibbery:
<span style="color:rgb(24,24,24);font-family:arial, helvetica, sans-serif;line-height:18px;">
Bit annoying when typing ones' reply. Can you tip Huddler for improvement on that as well please?
Originally Posted by PhilBoogie
Yes, you can, it's in the above screen dump.
Yeah, you can add a description there, but THAT AirPort Utility doesn't let you see what is connected to the network, and the OTHER one doesn't SHOW that description.
I swear, Apple should NEVER have released AirPort Utility 6 until it was done. It's not even alpha-worthy right now.