Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

[jon3543]

The password reset is still going to send an email to the registered email address, and that email is going to have a unique link to click on to complete the reset and establish a new password, and the attacker would have to intercept the email to gain access, right?

 

[bozzykid]

The password reset is still going to send an email to the registered email address, and that email is going to have a unique link to click on to complete the reset and establish a new password, and the attacker would have to intercept the email to gain access, right?

It seems they figured a way to create a password reset link using the DOB. So it bypasses the need for the initial email.

 

[Plutonius]

What is ridiculous is the 3 day waiting period to activate 2-step authentication. If you get by the security questions to activate it, making people wait is beyond stupid. If the hacker got past those questions, they could just change the password anyways.

The hacker would change the password but the two step authentication would make it very difficult to get your account back (no security question etc.).

 

[dan1000]

I set my password to "incorrect".

That way, whenever I forget it, it reminds me right away by saying

"Your password is incorrect"

 

[boomer0001]

Image​

Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed.

Wait....what....I'm sorry but what? Change your birthdate....yeah let me just go in and change this.....*2 weeks later and forgotten their password* what did I set that as?

Sound advice...not.

 

[gmanist1000]

I better activate the two-step verification then!

Just activated it for it myself.

 

[spazzcat]

I've got a .mac (i.e. @mac.com) ID, and have just activated 2 step with no waiting time. I do have a complex password though (and have had for ages) which, according to the article yesterday, is what triggers not having to wait 3 days



I suspect the reasoning behind this is that if you haven't got a complex password it's easier to crack and someone could completely hijack your account by enabling 2 step authentication. The 3 day delay gives people enough time to respond if they didn't request it.

I have a complex password and I have to wait 3 days.

Edit: Also, its not a .mac address.

 

[jon3543]

It seems they figured a way to create a password reset link using the DOB. So it bypasses the need for the initial email.

Oh. :facepalm: Anyway, the reset password page is currently down for me. When it's not legally binding, I always enter a fake DOB anyway. For security questions, I use random strings for answers just like I do for passwords. Store it all in Keepass.

 

[madsci954]

Man, as of late, Apple has dropped the ball more than a student at the School for Juggling.

 

[onicon]

And they have disabled it...
https://iforgot.apple.com/cgi-bin/i...bObjects/MyAppleId.woa&app_id=93&app_type=ext

 

[mobilebuddha]

please tel me YOU are trolling. Are you seriously implying that you'd rather lose your email account, itunes account, than letting advertisers market related items based on your email?



hopefully you don't work at apple.

Please tell me you're trollin'

 

[spazzcat]

So they need your birthdate?

 

[WestonHarvey1]

Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities.

This is a bug that WILL expose sensitive personal information to hackers. It's kind of a big deal. But I guess you're one of those "nothing to hide" types, so, carry on.

 

[Renzatic]

Please tell me you're trollin'

What's your birthday?

 

[maxosx]

I wish these sites would stop reporting things like this.

You're telling every pleb under the sun how to hack my account.

Not cool.

I strongly disagree, if not for their reporting I wouldn't have learned about it.

Apple should have sent an email out to us, like other sites that are compromised do.

Bad Apple

 

[keysofanxiety]

please tel me YOU are trolling. Are you seriously implying that you'd rather lose your email account, itunes account, than letting advertisers market related items based on your email?



hopefully you don't work at apple.

Google's was intentional, Apple's wasn't. That's all I meant, nothing more. Sorry for inciting hatred, I'll proof-read next time.

 

[iChrist]

dudes.

Remember when Macrumors was all this exciting Apple news and rumors??

Now is just story after story of Apple fails. Says a lot about the state of Apple.

 

[ChazUK]

Yeah, you're right. It wasn't really a good comparison on my part.

Just wanted to make the point that it's not like this was intentional, although that doesn't justify it. I believe Apple do take privacy very seriously (unlike other companies, as aforementioned), and it's regrettable something this important has been overlooked by them.

It is a shame its been publicly outed like this. That's probably the worst part about it. It would have been far more sensible (IMO) for the press to have kept it as underground as possible until the hole was fixed.

Sadly, the hit hungry tech blog o sphere have outed it like this (this is not a dig at MR as they're just sharing what's already out there)

The two step verification released yesterday is a godsend and has been set up straight away for me! This should at least make people aware of how important decent security is.

I'm also very confident that Apple will be monitoring suspicious activity and any unusual spending.

The Sony hack left a real bad taste in my mouth and this is nothing compared to what happened there.

 

[iChrist]

So they need your birthdate?

Not only did you not read the article. You did not even read the frackin' title of the article.


lol

 

[spazzcat]

Not only did you not read the article. You did not even read the frackin' title of the article.


lol

What am I missing "Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth"? Are these not my email address and my birthdate?

 

[jtara]

Wow. Way to get users to opt-in to the new worthless two-factor authentication system, which does absolutely nothing for you if somebody has access to your device.

 

[4TheLoveOfTech]

And they have disabled it...
https://iforgot.apple.com/cgi-bin/i...bObjects/MyAppleId.woa&app_id=93&app_type=ext

I know and it pisses me off. I rarely use iTunes and forgot my password.
I was going to go in and take out my credit card info and can't.

 

[scoobydoo99]

When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?

So the weak link is people who naively put their birth date on Facebook

 

[parapup]

I am looking for the "Who needs security anyway" posts. Please do not disappoint.

 

[spazzcat]

So the weak link is people who naively put their birth date on Facebook

The email address I use for my Apple ID is only used for my Apple ID, no one knows it...