New Apple Security Exploit Lets Someone Reset Your Password

[Chicog]

UPDATE: Apple's password-reset system currently appears to be down.

An Apple account exploit allows anyone with your email address and date of birth to reset your Apple ID and iCloud account password.

First reported by The Verge, the exploit uses Apple’s own tools to break into accounts, using a modified URL and entering someone’s date of birth of Apple’s iForgot page. Directions on how to take advantage of the vulnerability were published in a step-by-step tutorial.

On Thursday, Apple launched two-step verification for Apple ID and iCloud account passwords. When set up, two-step verification would prevent someone from using the vulnerability to access accounts.

Much like the two-step verification process for other services, Apple's two-step-verification verifies your identity when your account is accessed from a new device.

Verification is done using another one of your devices, such as your iPhone. For instance, if you buy a new computer and sign into iCloud on it, Apple will send a numerical code to your iPhone via text message. You take the numerical code sent to your phone, and enter it into your computer to verify you are in fact who you say you are.

You can, and should, set up two-step verification on your Apple accounts now here.

[Chicog]

Apple has issued a fix for the major security hole in the Apple ID login page that could have potentially affected thousands of users. Earlier, in response to the discovery of the security exploit, the company had taken down the iForgot password reset page after a step-by-step tutorial was posted online to hack anyone’s Apple ID account.

Despite Apple rolling out two-step verification for logins a couple of days ago, many users had not switched over from the old system, which has been shown to be vulnerable to hacking. Any such user’s password could have been easily reset using nothing but an email address and the date of birth.

But now Apple has seemingly issued a fix that plugs the hole and bought the "forgot password" page back online. iMore reported that the security exploit, which involved manipulating a URL, was no longer active.

Apple’s quick fix comes after it was discovered that it was possible to access the page even it was taken down via other means. The only way for a user to protect themselves was to activate Apple's two-step authentication. However, some users had been told they would have to wait three days before the new system would get activated. All such accounts could have been potentially been a target.

Even though the problem seems to have been fixed now, it is strongly recommended that iCloud and Apple ID users sign up for the two-step authentication as soon as possible.

Earlier, The Verge reported that the exploit involves pasting in a modified URL while answering the date-of-birth security question on Apple's iForgot page. However, the website, among others, declined to reveal the link which had the step-by-step guide.

Apple’s two-step verification has only been floated out in the US, UK, Australia, Ireland and New Zealand. So before Apple issued a fix, all user accounts outside those countries were vulnerable.

The weaknesses in the Apple ID login and password system came in the spotlight last year aftertechnology journalist Mat Honan revealed how hackers used the loopholes in the verification system to reset his password, worm their way into his entire digital life and wipe everything, including emails, pictures stored on iCloud and his work.

In recent times, the company’s services have been found to be quite vulnerable to attacks. In the case of iOS, Apple tried to fix a couple of ways of circumventing the passcode of the iPhone’s lock screen. However, there has been another, more facile, exploit discovered for devices running iOS 6.1.3 update.

Edited March 23, 2013 by Chicog

[nikster]

They fixed it quick.

Kinda had to take down the page right away as the exploit was so easy and public; if they'd left it for a few days they'd have a catastrophic security meltdown on their hands.

I was going to set up two factor authentication but then they have these retarded corporate password rules & wanted me to change the password... argh.

[Chicog]

I wish they'd teach Oracle how to respond to exploits <sigh>