Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Mar 22, 2013, 02:16 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth




The Verge is reporting that the Apple ID login system has been compromised and passwords can be reset using only the user's email address and date of birth. Users who have activated the new two-step verification process are not affected by the hack.

Quote:
We've been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page. It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
Out of concerns for user security, The Verge did not share any information about how to perform the hack, and Apple has not publicly commented on the issue.

Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed.

The two-step verification system for Apple ID accounts was introduced yesterday and is supposed to provide users with a login sequence that is nearly impossible to hack for someone without physical access to the user's devices.

Update 1:29 PM: Apple has taken its iForgot password reset system offline.

Update 8:48 PM: Apple's iForgot system is active once again, and iMore has confirmed that the issue has been fixed.

Article Link: Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth
MacRumors is offline   0 Reply With Quote
Old Mar 22, 2013, 02:18 PM   #2
nepalisherpa
macrumors 65816
 
Join Date: Aug 2011
Location: USA
I better activate the two-step verification then!
__________________
Macbook Air 11" 2013/i7/8GB RAM/250GB SSD
iPhone 5 32GB Black
nepalisherpa is offline   10 Reply With Quote
Old Mar 22, 2013, 02:20 PM   #3
HiRez
macrumors 601
 
HiRez's Avatar
 
Join Date: Jan 2004
Location: Western US
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
__________________
Go outside, the graphics are amazing!
HiRez is offline   8 Reply With Quote
Old Mar 22, 2013, 02:20 PM   #4
ChazUK
macrumors 603
 
ChazUK's Avatar
 
Join Date: Feb 2008
Location: Essex (UK)
Quote:
Originally Posted by nepalisherpa View Post
I better activate the two-step verification then!
I'll be right behind you.
__________________
HTC One | Motorola Moto G | iPhone 4s | The Brick
LG Gpad | iPad Mini Retina | iPad 2 3g
ChazUK is offline   0 Reply With Quote
Old Mar 22, 2013, 02:21 PM   #5
tigres
macrumors 68040
 
tigres's Avatar
 
Join Date: Aug 2007
Location: Land of the Free-Waiting for Term Limits
Quote:
Originally Posted by HiRez View Post
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
I have a .mac and did it yesterday.
__________________
Quicker than two shakes of a lambs tail
tigres is offline   5 Reply With Quote
Old Mar 22, 2013, 02:23 PM   #6
iPadPublisher
macrumors 6502
 
Join Date: Apr 2010
Wow. This is a bit of a shocker. Two step here I come.
iPadPublisher is offline   0 Reply With Quote
Old Mar 22, 2013, 02:24 PM   #7
Peace
macrumors P6
 
Peace's Avatar
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
Quote:
Originally Posted by tigres View Post
I have a .mac and did it yesterday.
I have a .mac also but I have to wait three days.
Peace is offline   0 Reply With Quote
Old Mar 22, 2013, 02:25 PM   #8
billystlyes
macrumors 6502
 
Join Date: Jul 2004
Apple is just a horrible web services company. They've never done much right in the space.
billystlyes is offline   33 Reply With Quote
Old Mar 22, 2013, 02:25 PM   #9
MultiMediaWill
macrumors 65816
 
Join Date: Aug 2010
Location: Illinois
I think it's best for our security to, at once, remove our selves from the dangerous Apple ecosystem.
__________________
Click here for the iPhone 5 iOS 6.0 Jailbreak!
MacBook Pro 15" 2011 , 2.2 GHz Quad i7, 750GB HDD, 8GB RAM, Anti-Glare
iPhone 5 32gb
iPad 3 16gb
MultiMediaWill is offline   6 Reply With Quote
Old Mar 22, 2013, 02:26 PM   #10
Prof.
macrumors 68040
 
Prof.'s Avatar
 
Join Date: Aug 2007
Location: Chicago
Quote:
Originally Posted by nepalisherpa View Post
I better activate the two-step verification then!
Quote:
Originally Posted by ChazUK View Post
I'll be right behind you.
Just activated mine. Just gotta wait til the 25th to complete the process.
__________________
When kids look up to great scientists the way they do to great musicians and actors, civilization will jump to the next level
- Brian Greene
Prof. is offline   0 Reply With Quote
Old Mar 22, 2013, 02:27 PM   #11
trifero
macrumors member
 
Join Date: May 2009
Quote:
Originally Posted by HiRez View Post
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
Unbelievable. i was asking why 2-steps doesn't appears with my .mac account.

This is unacceptable.
trifero is offline   2 Reply With Quote
Old Mar 22, 2013, 02:29 PM   #12
gnasher729
macrumors G5
 
gnasher729's Avatar
 
Join Date: Nov 2005
Quote:
Originally Posted by HiRez View Post
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
You can't transfer to another, but you can _change_ your AppleID. (I had to, because my AppleID was firstname.lastname, and at some point Apple needed an @ in the AppleID).
gnasher729 is offline   1 Reply With Quote
Old Mar 22, 2013, 02:31 PM   #13
techpr
macrumors 6502
 
Join Date: Sep 2008
Location: San Juan, PR
Apple need to remove this stupid (3) day waiting to activate Two-Step Authentication. .
techpr is offline   2 Reply With Quote
Old Mar 22, 2013, 02:31 PM   #14
redscull
macrumors 6502
 
Join Date: Jul 2010
Location: Texas
I don't see my birthday or how to edit one when I go to Apple ID management on their website. What am I missing?
redscull is offline   1 Reply With Quote
Old Mar 22, 2013, 02:33 PM   #15
keysofanxiety
macrumors 6502a
 
keysofanxiety's Avatar
 
Join Date: Nov 2011
Location: In a house that defies physics by being colder than absolute zero.
Quote:
Originally Posted by billystlyes View Post
Apple is just a horrible web services company. They've never done much right in the space.
Compared to whom? Microsoft? Google? The latter of which are considerably worse.

Last edited by keysofanxiety; Mar 22, 2013 at 02:33 PM. Reason: dat grammer
keysofanxiety is offline   6 Reply With Quote
Old Mar 22, 2013, 02:34 PM   #16
WestonHarvey1
macrumors 68000
 
Join Date: Jan 2007
Quote:
Originally Posted by redscull View Post
I don't see my birthday or how to edit one when I go to Apple ID management on their website. What am I missing?
Should be at the bottom of the "Password and Security" section.
WestonHarvey1 is offline   0 Reply With Quote
Old Mar 22, 2013, 02:34 PM   #17
lunaoso
macrumors 65816
 
lunaoso's Avatar
 
Join Date: Sep 2012
Location: New England, USA
Quote:
Originally Posted by techpr View Post
Apple need to remove this stupid (3) day waiting to activate Two-Step Authentication. .
Weird, I didn't have to wait at all. It activated right away. I wonder why it did for me and not for others?
lunaoso is online now   1 Reply With Quote
Old Mar 22, 2013, 02:35 PM   #18
WestonHarvey1
macrumors 68000
 
Join Date: Jan 2007
Quote:
Originally Posted by keysofanxiety View Post
Compared to whom? Microsoft? Google? The latter of which are considerably worse.
When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?
WestonHarvey1 is offline   9 Reply With Quote
Old Mar 22, 2013, 02:35 PM   #19
HiRez
macrumors 601
 
HiRez's Avatar
 
Join Date: Jan 2004
Location: Western US
Quote:
Originally Posted by tigres View Post
I have a .mac and did it yesterday.
OK, that is really weird then. Wonder why I have no option for it. Hmm. I've had nothing but trouble with this AppleID, formerly being locked out of it because of a conflict between backup email addresses (which took me weeks and about 7 calls to Apple to resolve).
__________________
Go outside, the graphics are amazing!
HiRez is offline   1 Reply With Quote
Old Mar 22, 2013, 02:36 PM   #20
Peace
macrumors P6
 
Peace's Avatar
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
Quote:
Originally Posted by lunaoso View Post
Weird, I didn't have to wait at all. It activated right away. I wonder why it did for me and not for others?
My guess is multiple email addresses associated with your Apple ID or using the old .mac email as the primary email.
Peace is offline   0 Reply With Quote
Old Mar 22, 2013, 02:37 PM   #21
Phil A.
macrumors 68040
 
Phil A.'s Avatar
 
Join Date: Apr 2006
Location: Telford, UK
I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I do have a complex password though (and have had for ages) which, according to the article yesterday, is what triggers not having to wait 3 days

Quote:
The verification system will request a password that has one letter, one number, one capital letter, and at least eight characters. If such a password is not already in use, users will need to wait three days to fully enable two-step verification. Users with an already compliant password can move on immediately to the next step.
I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.
__________________
Tell a man there are 300 billion stars in the universe and he'll believe you. Tell him a bench has wet paint on it and he'll have to touch it to be sure. ~Murphy's Law
Phil A. is offline   6 Reply With Quote
Old Mar 22, 2013, 02:38 PM   #22
keysofanxiety
macrumors 6502a
 
keysofanxiety's Avatar
 
Join Date: Nov 2011
Location: In a house that defies physics by being colder than absolute zero.
Quote:
Originally Posted by WestonHarvey1 View Post
When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?
Oh no, a bug in Apple's software. That's far worse than Google doing things like oh, let's say tracking you for marketing purposes. Glad you've got your priorities.
keysofanxiety is offline   6 Reply With Quote
Old Mar 22, 2013, 02:39 PM   #23
maxosx
macrumors 68020
 
Join Date: Dec 2012
Location: Southern California
Quote:
Originally Posted by billystlyes View Post
Apple is just a horrible web services company. They've never done much right in the space.
I'm not going to go so far as to call them horrible, but it _is_ obvious that they either don't understand security (as hard as that is to believe).

OR they just don't place a priority on it... other than lip service and marketing fluff. In their own eyes, Apple is perfect.

As the fans would say... look at all the money they're making..... yeah right! As though that makes up for this kind of situation.
maxosx is offline   4 Reply With Quote
Old Mar 22, 2013, 02:39 PM   #24
Peace
macrumors P6
 
Peace's Avatar
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
Quote:
Originally Posted by Phil A. View Post
I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I did have a complex password though which, according to the article yesterday, is what triggers not having to wait 3 days



I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.
I have a complex password that conforms to that . I suspect it to be something else.
Peace is offline   0 Reply With Quote
Old Mar 22, 2013, 02:40 PM   #25
needfx
macrumors 68000
 
needfx's Avatar
 
Join Date: Aug 2010
Location: macrumors apparently
too many security issues accumulating lately
needfx is offline   7 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 12:38 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC