Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Mar 22, 2013.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    The Verge is reporting that the Apple ID login system has been compromised and passwords can be reset using only the user's email address and date of birth. Users who have activated the new two-step verification process are not affected by the hack.

    [​IMG]
    Out of concerns for user security, The Verge did not share any information about how to perform the hack, and Apple has not publicly commented on the issue.

    Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed.

    The two-step verification system for Apple ID accounts was introduced yesterday and is supposed to provide users with a login sequence that is nearly impossible to hack for someone without physical access to the user's devices.

    Update 1:29 PM: Apple has taken its iForgot password reset system offline.

    [​IMG]
    Update 8:48 PM: Apple's iForgot system is active once again, and iMore has confirmed that the issue has been fixed.

    Article Link: Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth
     
  2. macrumors 68000

    nepalisherpa

    Joined:
    Aug 15, 2011
    Location:
    USA
    #2
    I better activate the two-step verification then!
     
  3. macrumors 601

    HiRez

    Joined:
    Jan 6, 2004
    Location:
    Western US
    #3
    Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
     
  4. macrumors 603

    ChazUK

    Joined:
    Feb 3, 2008
    Location:
    Essex (UK)
    #4
    I'll be right behind you. :eek:
     
  5. macrumors 68040

    tigres

    Joined:
    Aug 31, 2007
    Location:
    Land of the Free-Waiting for Term Limits
    #5
    I have a .mac and did it yesterday.
     
  6. macrumors 6502

    Joined:
    Apr 14, 2010
    #6
    Wow. This is a bit of a shocker. Two step here I come.
     
  7. macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #7
    I have a .mac also but I have to wait three days.
     
  8. macrumors 6502a

    Joined:
    Jul 5, 2004
    #8
    Apple is just a horrible web services company. They've never done much right in the space.
     
  9. macrumors 65816

    Joined:
    Aug 1, 2010
    Location:
    Illinois
    #9
    I think it's best for our security to, at once, remove our selves from the dangerous Apple ecosystem.
     
  10. macrumors 601

    Prof.

    Joined:
    Aug 17, 2007
    Location:
    Chicago
    #10
    Just activated mine.:eek: Just gotta wait til the 25th to complete the process.
     
  11. macrumors member

    Joined:
    May 21, 2009
    #11
    Unbelievable. i was asking why 2-steps doesn't appears with my .mac account.

    This is unacceptable.
     
  12. macrumors G5

    gnasher729

    Joined:
    Nov 25, 2005
    #12
    You can't transfer to another, but you can _change_ your AppleID. (I had to, because my AppleID was firstname.lastname, and at some point Apple needed an @ in the AppleID).
     
  13. macrumors 6502

    techpr

    Joined:
    Sep 9, 2008
    Location:
    San Juan, PR
    #13
    Apple need to remove this stupid (3) day waiting to activate Two-Step Authentication. .
     
  14. macrumors 6502

    redscull

    Joined:
    Jul 1, 2010
    Location:
    Texas
    #14
    I don't see my birthday or how to edit one when I go to Apple ID management on their website. What am I missing?
     
  15. keysofanxiety, Mar 22, 2013
    Last edited: Mar 22, 2013

    macrumors 68020

    keysofanxiety

    Joined:
    Nov 23, 2011
    #15
    Compared to whom? Microsoft? Google? The latter of which are considerably worse. :confused:
     
  16. macrumors 68000

    Joined:
    Jan 9, 2007
    #16
    Should be at the bottom of the "Password and Security" section.
     
  17. macrumors 65816

    lunaoso

    Joined:
    Sep 22, 2012
    Location:
    New England, USA
    #17
    Weird, I didn't have to wait at all. It activated right away. I wonder why it did for me and not for others?
     
  18. macrumors 68000

    Joined:
    Jan 9, 2007
    #18
    When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?
     
  19. macrumors 601

    HiRez

    Joined:
    Jan 6, 2004
    Location:
    Western US
    #19
    OK, that is really weird then. Wonder why I have no option for it. Hmm. I've had nothing but trouble with this AppleID, formerly being locked out of it because of a conflict between backup email addresses (which took me weeks and about 7 calls to Apple to resolve).
     
  20. macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #20
    My guess is multiple email addresses associated with your Apple ID or using the old .mac email as the primary email.
     
  21. macrumors 601

    Phil A.

    Joined:
    Apr 2, 2006
    Location:
    Telford, UK
    #21
    I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I do have a complex password though (and have had for ages) which, according to the article yesterday, is what triggers not having to wait 3 days

    I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.
     
  22. macrumors 68020

    keysofanxiety

    Joined:
    Nov 23, 2011
    #22
    Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities. :rolleyes:
     
  23. macrumors 68020

    Joined:
    Dec 13, 2012
    Location:
    Southern California
    #23
    I'm not going to go so far as to call them horrible, but it _is_ obvious that they either don't understand security (as hard as that is to believe).

    OR they just don't place a priority on it... other than lip service and marketing fluff. In their own eyes, Apple is perfect.

    As the fans would say... look at all the money they're making..... yeah right! As though that makes up for this kind of situation.
     
  24. macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #24
    I have a complex password that conforms to that . I suspect it to be something else.
     
  25. macrumors 68030

    needfx

    Joined:
    Aug 10, 2010
    Location:
    macrumors apparently

Share This Page