Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,539
30,848



The Verge is reporting that the Apple ID login system has been compromised and passwords can be reset using only the user's email address and date of birth. Users who have activated the new two-step verification process are not affected by the hack.

appleid.jpg
We've been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page. It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
Click to expand...
Out of concerns for user security, The Verge did not share any information about how to perform the hack, and Apple has not publicly commented on the issue.

Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed.

The two-step verification system for Apple ID accounts was introduced yesterday and is supposed to provide users with a login sequence that is nearly impossible to hack for someone without physical access to the user's devices.

Update 1:29 PM: Apple has taken its iForgot password reset system offline.

iforgot_offline.jpg
Update 8:48 PM: Apple's iForgot system is active once again, and iMore has confirmed that the issue has been fixed.

Article Link: Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth
 
Article Link
https://www.macrumors.com/2013/03/22/apple-id-security-hole-allows-password-reset-with-email-address-and-date-of-birth/
HiRez

HiRez

macrumors 603
Jan 6, 2004
6,250
2,576
Western US
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
 
tigres

tigres

macrumors 601
Aug 31, 2007
4,213
1,326
Land of the Free-Waiting for Term Limits
HiRez said:
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
Click to expand...

I have a .mac and did it yesterday.
 
trifero

trifero

macrumors 68030
May 21, 2009
2,728
2,574
HiRez said:
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
Click to expand...

Unbelievable. i was asking why 2-steps doesn't appears with my .mac account.

This is unacceptable.
 
gnasher729

gnasher729

Suspended
Nov 25, 2005
17,980
5,565
HiRez said:
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
Click to expand...

You can't transfer to another, but you can _change_ your AppleID. (I had to, because my AppleID was firstname.lastname, and at some point Apple needed an @ in the AppleID).
 
redscull

redscull

macrumors 6502a
Jul 1, 2010
849
832
Texas
I don't see my birthday or how to edit one when I go to Apple ID management on their website. What am I missing?
 
HiRez

HiRez

macrumors 603
Jan 6, 2004
6,250
2,576
Western US
tigres said:
I have a .mac and did it yesterday.
Click to expand...

OK, that is really weird then. Wonder why I have no option for it. Hmm. I've had nothing but trouble with this AppleID, formerly being locked out of it because of a conflict between backup email addresses (which took me weeks and about 7 calls to Apple to resolve).
 
Phil A.

Phil A.

Moderator emeritus
Apr 2, 2006
5,799
3,094
Shropshire, UK
I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I do have a complex password though (and have had for ages) which, according to the article yesterday, is what triggers not having to wait 3 days

The verification system will request a password that has one letter, one number, one capital letter, and at least eight characters. If such a password is not already in use, users will need to wait three days to fully enable two-step verification. Users with an already compliant password can move on immediately to the next step.
Click to expand...

I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.
 
keysofanxiety

keysofanxiety

macrumors G3
Nov 23, 2011
9,539
25,302
WestonHarvey1 said:
When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?
Click to expand...

Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities. :rolleyes:
 
M

maxosx

macrumors 68020
Dec 13, 2012
2,385
1
Southern California
billystlyes said:
Apple is just a horrible web services company. They've never done much right in the space.
Click to expand...

I'm not going to go so far as to call them horrible, but it _is_ obvious that they either don't understand security (as hard as that is to believe).

OR they just don't place a priority on it... other than lip service and marketing fluff. In their own eyes, Apple is perfect.

As the fans would say... look at all the money they're making..... yeah right! As though that makes up for this kind of situation.
 
Peace

Peace

Cancelled
Apr 1, 2005
19,546
4,556
Space The Only Frontier
Phil A. said:
I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I did have a complex password though which, according to the article yesterday, is what triggers not having to wait 3 days



I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.
Click to expand...

I have a complex password that conforms to that . I suspect it to be something else.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom