Apple working on fix for Apple ID password security hole [update: fixed]

Posted:
in General Discussion edited January 2014
Hours after a security exploit was discovered regarding the resetting of Apple ID passwords, the company has acknowledged the issue and said it is actively working on a fix.

Update: As of 7 p.m. Pacific, Apple's iForgot webpage and related services are back online.

Status


The vulnerability, exposed earlier on Friday, allows malicious users to reset the Apple ID and iCloud passwords of others using only the victim's email address and date of birth. The bug essentially grants unlimited access to every Apple service associated with their Apple ID, including iTunes accounts, e-mail, and synced iCloud data.

After the discovery, Apple subsequently took down the iForgot password reset page "for maintenance," and updated the iCloud System Status webpage to inform users of the issue.

In a statement to The Verge the company said, "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix."

Apple did not say when it expects the issue to be resolved.
«1

Comments

  • Reply 1 of 21
    asciiascii Posts: 5,936member


    Apple's security people seem to have very quick reactions these days. That new malware browser plugin has already been added to Xprotect too.

  • Reply 2 of 21
    solipsismxsolipsismx Posts: 19,566member
    ascii wrote: »
    Apple's security people seem to have very quick reactions these days. That new malware browser plugin has already been added to Xprotect too.

    They are certainly on top of holes more quickly than other companies and it's likely that the number of exploits is because of Apple's excessive mindshare, but I can't hype but wonder if many of them should not have happened in the first place.
  • Reply 3 of 21
    philboogiephilboogie Posts: 7,675member
    1. but how to reset your pw now, while they're fixing it?

    2. never, ever, associate your email with your b-day, or anything else for that matter. Also, never use a password for two different services or companies. In fact, use a unique email address for any specific purpose; easy to delete when not used anymore. And easy to defeat spam.
  • Reply 4 of 21
    solipsismxsolipsismx Posts: 19,566member
    philboogie wrote: »
    1. but how to reset your pw now, while they're fixing it?

    Good question.
    2. never, ever, associate your email with your b-day, or anything else for that matter. Also, never use a password for two different services or companies. In fact, use a unique email address for any specific purpose; easy to delete when not used anymore. And easy to defeat spam.

    Even if you trust the company you're giving it to there are still possible gaps that can be exploited by a company that is completely on the up and up. Somethings they aren't coding issues that can be circumvented like this current issue or a hacker gaining access to a server, but an employee or even pulling the info over an unsecured WiFi hotspot.


    Lass Pass is certainly less expensive but it's not as nice and since it's server-based it does offer a potential security risk if hacked. Still, I'd use Lass Pass over nothing.
  • Reply 5 of 21
    drblankdrblank Posts: 3,385member

    Quote:

    Originally Posted by SolipsismX View Post





    They are certainly on top of holes more quickly than other companies and it's likely that the number of exploits is because of Apple's excessive mindshare, but I can't hype but wonder if many of them should not have happened in the first place.


    It's very difficult to test every conceivable way to hack into an OS before a company releases a new OS version.  It doesn't matter if it's Apple, Microsoft, etc.  The thing that is most important and getting them fixed as quickly as possible and having as little potential way to hack them in the first place.  When the Android device mfg released the NFC chip, there was a hack that surfaced fairly soon afterwards.  Maybe that might be a reason why Apple didn't want to just stick a NFC chip inside since that exploit surfaced I think just before the iPhone 5 was released, so Apple probably thought it might be worthwhile waiting, plus there's also the business need has to be there as well.


     


    Either way, the benefit of iOS is that when they release an update, we all get it immediately, and there is always a lot of visibility for them to fix major problems.  Android, on the other hand, is FAR more difficult to get every mfg and model to get an update, which is why I personally won't even consider the Android platform.  Microsoft does an OK job, but they've not done very well in the past with previous versions of Windows for the desktop, which is one of the reasons why I stick with OS X.

  • Reply 6 of 21
    clemynxclemynx Posts: 1,552member
    Update in Windows 8 is totally seamless and automatic.
  • Reply 7 of 21
    solipsismxsolipsismx Posts: 19,566member
    Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.
  • Reply 8 of 21
    Seems Odd Apple doesn't verify IP of user to acknowledge access.

    I don't use iCoud, keeping it low profile with older gear at 10.6.8.
    Suspect I'll be forced to upgrade eventually.

    If I wanted to use a cloud - I'd use RackSpace - some testing done - looks solid.

    iCloud - or iCould - used for low profile data only.

    I'm sure it gets resolved.
  • Reply 9 of 21
    waybacmacwaybacmac Posts: 309member

    Quote:

    Originally Posted by SolipsismX View Post



    Lass Pass is certainly less expensive but it's not as nice and since it's server-based it does offer a potential security risk if hacked. Still, I'd use Lass Pass over nothing.


    My understanding is that both are equally secure. LastPass encrypts/decrypts the data on the device with keys unique to that device that stay on the device. Data on the server cannot be accessed even by the operators of LastPass because they have no access to the keys. I will admit that the 1Password interface is much, much nicer.


     


    Quote:

    Originally Posted by Philscbx View Post



    Seems Odd Apple doesn't verify IP of user to acknowledge access.


    Probably because IPs can be spoofed easily enough.

  • Reply 10 of 21
    philboogiephilboogie Posts: 7,675member
    solipsismx wrote: »

    Since those sync over the internet I have a difficult time trusting it. I therefore use Bento, the 'standalone' app from FileMaker. Make all changes on my MP, plug in iPhone and iPad, have the app open on all 3 and synchronize. Sounds cumbersome, but it is the safest way I know. And the app asks for a PIN in order to open it. As I don't make dailey changes it works for me.
    solipsismx wrote: »
    Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.

    Can't find a story for that. Do know that even after you enable it (or dismiss that popup) it comes back every now and then. I presume because it loses the network connection every now and then. It only happens on my iPad. Plural, actually, but I disabled everything on my Gen1 and use it as a media AirPlayer, to the AppleTV, connected over optical cable to the stereo. But this is all OT, coming from OT.
  • Reply 11 of 21
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by SolipsismX View Post

    Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.


     


    There's not even a way to see what devices are using your local AirPort network. I seriously doubt they've given people the option to see what of their devices are using iCloud… image

  • Reply 12 of 21
    philboogiephilboogie Posts: 7,675member
    There's not even a way to see what devices are using your local AirPort network.

    Hmm, with Airport Util 6.2 I see the wireless clients, by MAC address and name, if setup properly
  • Reply 13 of 21
    evilutionevilution Posts: 1,399member

    Quote:

    Originally Posted by SolipsismX View Post



    Off Topic: Is there a way to see what devices are using iMessages? I just had one pop up that said "iPad" is now accessing iMessages yet my iPad was already accessing iMessages.


    You might want to change your password just to be on the safe side.

  • Reply 14 of 21
    tylerk36tylerk36 Posts: 1,037member


    Does any one remember when Apple didn't have to release os versions to fix such stupid mistakes?

  • Reply 15 of 21
    solipsismxsolipsismx Posts: 19,566member
    philboogie wrote: »
    Since those sync over the internet I have a difficult time trusting it. I therefore use Bento, the 'standalone' app from FileMaker. Make all changes on my MP, plug in iPhone and iPad, have the app open on all 3 and synchronize. Sounds cumbersome, but it is the safest way I know. And the app asks for a PIN in order to open it. As I don't make dailey changes it works for me.

    1Password can sync to other devices directly without using Dropbox, if you wish.
    tylerk36 wrote: »
    Does any one remember when Apple didn't have to release os versions to fix such stupid mistakes?

    I remember it like it was yesterday… because it was yesterday. No OS update was released to resolve this issue.
  • Reply 16 of 21
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by PhilBoogie View Post

    Hmm, with Airport Util 6.2 I see the wireless clients, by MAC address and name, if setup properly


     


    Yes, but that's it! I see a list of MAC addresses, local IPs, and names. I have no means to set what MAC address corresponds to what computer, I have no means to individually allow or deny said connections… 


     


    I can't tell what is what, where, or why.


     


    And since switching over to a new AirPort Extreme, I'm under the impression that computers I have explicitly disallowed connecting are somehow still connecting… But there's no way for me to actually check that!

  • Reply 17 of 21
    philboogiephilboogie Posts: 7,675member
    solipsismx wrote: »
    1Password can sync to other devices directly without using Dropbox, if you wish.

    I remember it like it was yesterday… because it was yesterday. No OS update was released to resolve this issue.

    One thumb for tipping me; I'll take another look @ 1Password. Two thumbs up for your response to tyler36k.
    ...I have no means to individually allow or deny said connections… 

    Hmm, I'm on a AE, and there's a tab 'Network' with a button 'Timed Access Control...' and I can config the times, or deny it all. Maybe I'm not understanding your config correctly...
    And since switching over to a new AirPort Extreme, I'm under the impression that computers I have explicitly disallowed connecting are somehow still connecting… But there's no way for me to actually check that!

    That sounds weird. I presume you have gone the IT route, trying out a reset, reinstall, delete and add Macs and all that?
  • Reply 18 of 21
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by PhilBoogie View Post

    Hmm, I'm on a AE, and there's a tab 'Network' with a button 'Timed Access Control...' and I can config the times, or deny it all. Maybe I'm not understanding your config correctly...


     


    I mean to say that I'd really like to see it as a live, updating list rather than just in the configuration.






    That sounds weird. I presume you have gone the IT route, trying out a reset, reinstall, delete and add Macs and all that?



     


    I hope you don't mean of all the OS' on my computers and devices, but rather just the AirPort Extreme. image


     


    And yes. I imagine it's just this stupid new AirPort Utility (since now that I have a device with which it's compatible I can comment on its use) which is, in every respect, completely and utterly unusable. Yes, it added the ability to see a list of the current connections (better than the old one, which wouldn't show you anything of that sort), but what good is that when I can't do anything with them? 


     


    Had to use the old one to even set MAC address access control… (EDIT: Now I can both see and add MAC addresses to the list of approved machines via the new AirPort Utility, but I could not before doing it in the old one. image


     


    If NOTHING else, I'd like the text list comprised of ".local" names, MAC addresses, AND local IPs to be, you know, just the NAMES of the computers and devices involved. I don't have the memory to remember actually important things; I can't be spending hours memorizing the MAC addresses of my devices to know what's on and where, and using that to know when I don't recognize a MAC address, leading me to think there's someone on my network!

  • Reply 19 of 21
    philboogiephilboogie Posts: 7,675member
    I hope you don't mean of all the OS' on my computers and devices, but rather just the AirPort Extreme. :lol:

    Dear, no, just the Airport software on your Mac. Maybe the firmware on your Airport, if that would help(?)
    And yes. I imagine it's just this stupid new AirPort Utility (since now that I have a device with which it's compatible I can comment on its use) which is, in every respect, completely and utterly unusable. Yes, it added the ability to see a list of the current connections (better than the old one, which wouldn't show you anything of that sort), but what good is that when I can't do anything with them? 

    But the old AirPort Utility 5.6 shows the client names, well, if you enter a description, which helps:
    1000

    Had to use the old one to even set MAC address access control… (EDIT: Now I can both see and add MAC addresses to the list of approved machines via the new AirPort Utility, but I could not before doing it in the old one. :no: ) 
    Yes, you can, it's in the above screen dump.
    If NOTHING else, I'd like the text list comprised of ".local" names, MAC addresses, AND local IPs to be, you know, just the NAMES of the computers and devices involved. I don't have the memory to remember actually important things; I can't be spending hours memorizing the MAC addresses of my devices to know what's on and where, and using that to know when I don't recognize a MAC address, leading me to think there's someone on my network!

    That's an understandable request, and can only hope for Apple to improve on it. Perhaps I should give feedback...

    OT: replying to your reply on my post generates that html jibbery:
    <span style="color:rgb(24,24,24);font-family:arial, helvetica, sans-serif;line-height:18px;">

    Bit annoying when typing ones' reply. Can you tip Huddler for improvement on that as well please?
  • Reply 20 of 21
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by PhilBoogie View Post

    Yes, you can, it's in the above screen dump.


     


    Yeah, you can add a description there, but THAT AirPort Utility doesn't let you see what is connected to the network, and the OTHER one doesn't SHOW that description.


     


    I swear, Apple should NEVER have released AirPort Utility 6 until it was done. It's not even alpha-worthy right now.

Sign In or Register to comment.