AppleInsider Staff
Hours after a security exploit was discovered regarding the resetting of Apple ID passwords, the company has acknowledged the issue and said it is actively working on a fix.
Update: As of 7 p.m. Pacific, Apple's iForgot webpage and related services are back online.
The vulnerability, exposed earlier on Friday, allows malicious users to reset the Apple ID and iCloud passwords of others using only the victim's email address and date of birth. The bug essentially grants unlimited access to every Apple service associated with their Apple ID, including iTunes accounts, e-mail, and synced iCloud data.
After the discovery, Apple subsequently took down the iForgot password reset page "for maintenance," and updated the iCloud System Status webpage to inform users of the issue.
In a statement to The Verge the company said, "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix."
Apple did not say when it expects the issue to be resolved.
William Gallagher
Christine McKee
Chip Loder
Malcolm Owen
21 Comments
Apple's security people seem to have very quick reactions these days. That new malware browser plugin has already been added to Xprotect too.
[quote name="ascii" url="/t/156620/apple-working-on-fix-for-apple-id-password-security-hole#post_2299059"]Apple's security people seem to have very quick reactions these days. That new malware browser plugin has already been added to Xprotect too. [/quote] They are certainly on top of holes more quickly than other companies and it's likely that the number of exploits is because of Apple's excessive mindshare, but I can't hype but wonder if many of them should not have happened in the first place.
1. but how to reset your pw now, while they're fixing it? 2. never, ever, associate your email with your b-day, or anything else for that matter. Also, never use a password for two different services or companies. In fact, use a unique email address for any specific purpose; easy to delete when not used anymore. And easy to defeat spam.
[quote name="PhilBoogie" url="/t/156620/apple-working-on-fix-for-apple-id-password-security-hole#post_2299108"]1. but how to reset your pw now, while they're fixing it?[/QUOTE] Good question. [QUOTE]2. never, ever, associate your email with your b-day, or anything else for that matter. Also, never use a password for two different services or companies. In fact, use a unique email address for any specific purpose; easy to delete when not used anymore. And easy to defeat spam.[/quote] Even if you trust the company you're giving it to there are still possible gaps that can be exploited by a company that is completely on the up and up. Somethings they aren't coding issues that can be circumvented like this current issue or a hacker gaining access to a server, but an employee or even pulling the info over an unsecured WiFi hotspot. [LIST] [*] 1Password — https://agilebits.com/onepassword — $18 for iOS app, $50 for Mac or Windows, $70 for Mac+Win bundle [*] Last Pass — https://lastpass.com/ — Free to $12/yr [/LIST] Lass Pass is certainly less expensive but it's not as nice and since it's server-based it does offer a potential security risk if hacked. Still, I'd use Lass Pass over nothing.
It's very difficult to test every conceivable way to hack into an OS before a company releases a new OS version. It doesn't matter if it's Apple, Microsoft, etc. The thing that is most important and getting them fixed as quickly as possible and having as little potential way to hack them in the first place. When the Android device mfg released the NFC chip, there was a hack that surfaced fairly soon afterwards. Maybe that might be a reason why Apple didn't want to just stick a NFC chip inside since that exploit surfaced I think just before the iPhone 5 was released, so Apple probably thought it might be worthwhile waiting, plus there's also the business need has to be there as well.
Either way, the benefit of iOS is that when they release an update, we all get it immediately, and there is always a lot of visibility for them to fix major problems. Android, on the other hand, is FAR more difficult to get every mfg and model to get an update, which is why I personally won't even consider the Android platform. Microsoft does an OK job, but they've not done very well in the past with previous versions of Windows for the desktop, which is one of the reasons why I stick with OS X.