Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

[MacRumors]

The Verge is reporting that the Apple ID login system has been compromised and passwords can be reset using only the user's email address and date of birth. Users who have activated the new two-step verification process are not affected by the hack.

Quote:

We've been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page. It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.

Out of concerns for user security, The Verge did not share any information about how to perform the hack, and Apple has not publicly commented on the issue.

Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed.

The two-step verification system for Apple ID accounts was introduced yesterday and is supposed to provide users with a login sequence that is nearly impossible to hack for someone without physical access to the user's devices.

Update 1:29 PM: Apple has taken its iForgot password reset system offline.

Update 8:48 PM: Apple's iForgot system is active once again, and iMore has confirmed that the issue has been fixed.

Article Link: Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

[nepalisherpa]

I better activate the two-step verification then!

[HiRez]

Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!

[ChazUK]

Quote:

Originally Posted by nepalisherpa

I better activate the two-step verification then!

I'll be right behind you.

[tigres]

Quote:

Originally Posted by HiRez

Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!

I have a .mac and did it yesterday.

[iPadPublisher]

Wow. This is a bit of a shocker. Two step here I come.

[Peace]

Quote:

Originally Posted by tigres

I have a .mac and did it yesterday.

I have a .mac also but I have to wait three days.

[billystlyes]

Apple is just a horrible web services company. They've never done much right in the space.

[MultiMediaWill]

I think it's best for our security to, at once, remove our selves from the dangerous Apple ecosystem.

[Prof.]

Quote:

Originally Posted by nepalisherpa

I better activate the two-step verification then!

Quote:

Originally Posted by ChazUK

I'll be right behind you.

Just activated mine. Just gotta wait til the 25th to complete the process.

[trifero]

Quote:

Originally Posted by HiRez

Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!

Unbelievable. i was asking why 2-steps doesn't appears with my .mac account.

This is unacceptable.

[gnasher729]

Quote:

Originally Posted by HiRez

Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!

You can't transfer to another, but you can _change_ your AppleID. (I had to, because my AppleID was firstname.lastname, and at some point Apple needed an @ in the AppleID).

[techpr]

Apple need to remove this stupid (3) day waiting to activate Two-Step Authentication. .

[redscull]

I don't see my birthday or how to edit one when I go to Apple ID management on their website. What am I missing?

[keysofanxiety]

Quote:

Originally Posted by billystlyes

Apple is just a horrible web services company. They've never done much right in the space.

Compared to whom? Microsoft? Google? The latter of which are considerably worse.

[WestonHarvey1]

Quote:

Originally Posted by redscull

I don't see my birthday or how to edit one when I go to Apple ID management on their website. What am I missing?

Should be at the bottom of the "Password and Security" section.

[lunaoso]

Quote:

Originally Posted by techpr

Apple need to remove this stupid (3) day waiting to activate Two-Step Authentication. .

Weird, I didn't have to wait at all. It activated right away. I wonder why it did for me and not for others?

[WestonHarvey1]

Quote:

Originally Posted by keysofanxiety

Compared to whom? Microsoft? Google? The latter of which are considerably worse.

When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?

[HiRez]

Quote:

Originally Posted by tigres

I have a .mac and did it yesterday.

OK, that is really weird then. Wonder why I have no option for it. Hmm. I've had nothing but trouble with this AppleID, formerly being locked out of it because of a conflict between backup email addresses (which took me weeks and about 7 calls to Apple to resolve).

[Peace]

Quote:

Originally Posted by lunaoso

Weird, I didn't have to wait at all. It activated right away. I wonder why it did for me and not for others?

My guess is multiple email addresses associated with your Apple ID or using the old .mac email as the primary email.

[Phil A.]

I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I do have a complex password though (and have had for ages) which, according to the article yesterday, is what triggers not having to wait 3 days

Quote:

The verification system will request a password that has one letter, one number, one capital letter, and at least eight characters. If such a password is not already in use, users will need to wait three days to fully enable two-step verification. Users with an already compliant password can move on immediately to the next step.

I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.

[keysofanxiety]

Quote:

Originally Posted by WestonHarvey1

When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?

Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities.

[maxosx]

Quote:

Originally Posted by billystlyes

Apple is just a horrible web services company. They've never done much right in the space.

I'm not going to go so far as to call them horrible, but it _is_ obvious that they either don't understand security (as hard as that is to believe).

OR they just don't place a priority on it... other than lip service and marketing fluff. In their own eyes, Apple is perfect.

As the fans would say... look at all the money they're making..... yeah right! As though that makes up for this kind of situation.

[Peace]

Quote:

Originally Posted by Phil A.

I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I did have a complex password though which, according to the article yesterday, is what triggers not having to wait 3 days



I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.

I have a complex password that conforms to that . I suspect it to be something else.

[needfx]

too many security issues accumulating lately