Kevin Bostic
Just a day after Apple tightened account security by introducing two-step verification, yet another vulnerability has been exposed, one that could allow for malicious users to reset the Apple ID and iCloud passwords of others using only an email address and date of birth.
Update: Apple has pulled the "iForgot" webpage down for maintenance following reports of the vulnerability.
The new vulnerability was posted to a website and allows for password resets using Apple's iForgot page, The Verge reported on Friday. Citing security concerns, the publication did not link to the page detailing the exploit, but the tech news site says that it has confirmed the security hole firsthand.
The exploit requires knowledge of both the date of birth and email address associated with an Apple ID. While the report on the vulnerability does not detail the process, it involves a malicious user pasting in a modified URL while answering the DOB security question on the iForgot page. Doing so allows for the resetting of a password, possibly giving another user access to the whole of an Apple ID account.
News of the exploit comes just the day after Apple enabled two-step verification for Apple IDs. Upon enabling the enhanced security feature, users can receive verification codes on their mobile devices, either through the Find My iPhone app or by text message. Those security codes are then used as a second verification method when making changes to an Apple ID account.
Wesley Hilliard
Marko Zivkovic
William Gallagher
Malcolm Owen
Mike Wuerthele and Malcolm Owen
Andrew O'Hara
Amber Neely
Andrew Orr
26 Comments
Looks like we might be using 6.1.8 before iOS 7 is released at this rate.
"Shut the company down and give the money back to the shareholders."
Let me guess, you have to take out the SIM card while unplugging the printer (has to be an HP printer that can't AirPlay) during an iTunes reencode of audio while Safari is downloading a .RAR file (not .ZIP).
Geez. . .:\ Is mobile security just a fairytale? One hole closes and another one opens. I don't know if Apple/Google/MS can move fast enough to fill every hole as fast as they're found. There's gotta be a better way. EDIT: From MacRumors "Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed." Easy enough for those that read about it.
My guess is that its going to turn out that it only works in those folks that keep skipping to add security questions to their account, haven't turned in two step etc. In other words, those that give a damn about their security will be fine