Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

[bushido]

I'm trying to set up two step verification. Which I can't do because it's asking me security questions that have no answer.

thats how i was locked out of my apple id on my iPhone for like a month once! it asked me a security question i never set up in my life and the apple hotline wasnt really helpful

 

[NUR6]

Dont you really want two factor not two step authentication?

As former MobileMe user I had no trouble (other than being logged off while I was reading the FAQ) enabling the 2 step verification.

The iPhone can contain a goldmine of info if they get access to it,

so isn't the real solution to have two factor (something I know PIN, PW, unlock code, and something I have-except the iPhone, RFID/BT fob, iWatch???, face) vs two step authentication?

Help me out what am I missing?

 

[Renzatic]

This has been a veritable smorgasbord of fun little surprises.

 

[MonkeySee....]

I strongly disagree, if not for their reporting I wouldn't have learned about it.

Apple should have sent an email out to us, like other sites that are compromised do.

Bad Apple

So you're happy now that instead of a few people knowing how to change your details, thousands now do?

 

[990CPA]

Quit pointing fingers

Most of you have NO idea what Internet security involves, especially for a very large, well known tech company, so quit running your mouth. For a culture that hates ignorance so much, you Americans sure are full of it!

Those of you who DO have an idea need to speak up.

Most of the security problems are caused by operator error and foolishness. Just look at the stats for the most popular ATM PINs and iOS pass codes.

 

[jeremiah256]

Wait....what....I'm sorry but what? Change your birthdate....yeah let me just go in and change this.....*2 weeks later and forgotten their password* what did I set that as?

Sound advice...not.

For the love of God, will people please start using password managers? Any decent one will remember all your passwords and store the fake information you put in for your mom's maiden name, pet name or any other question you are presented with.

 

[Consultant]

Who else is "secure"?

Google 2 factor security was easily bypassed too:
https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/

 

[Bahroo]

Who else is "secure"?

Google 2 factor security was easily bypassed too:
https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/

ooff, im sending this to my Fandroid cousin

 

[numlock]

Apple is just a horrible web services company. They've never done much right in the space.

but eddy cue is a genius

 

[turtlez]

Apple seems to always be running into problems with their account services. Transferring all my important documents back to gmail again. Just too concerned with the frequent troubles Apple is running into.

 

[Oletros]

Who else is "secure"?

Google 2 factor security was easily bypassed too:
https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/

You have a very strange definition of the word "easily"

 

[gotluck]

Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities.

Well, id rather have google scanning my stuff than joe blow gettting access to my account...

google is a better web services company, I'll say it.

Apple has hardware and software.

 

[bozzykid]

i dont get it ... isnt this how u usually reset a password?

when i forgot my password on our train companies site among others i just enter my the email i signed up with and they send me a new password to my email. i mean, who else could read that email with the new password? its still only my email account

In this case, you don't need access to the email account. You just need to know the email address. That is the major flaw in this security hole.

 

[turtlez]

You have a very strange definition of the word "easily"

How is it that you magically appear every time someone mocks a competitor of Apple? lol

----------

Well, id rather have google scanning my stuff than joe blow gettting access to my account...

google is a better web services company, I'll say it.

Apple has hardware and software.

yup, I agree. I just got all my invoices off iCloud and transferred them back to my gmail where they used to reside.

 

[samcraig]

How is it that you magically appear every time someone mocks a competitor of Apple? lol

How is it you magically appear to add commentary on who posts in a thread

You realize he posted in this thread at least once before responding to someone who criticized an Apple competitor?

 

[NUR6]

2 step vs 2 factor

Who else is "secure"?

Google 2 factor security was easily bypassed too:
https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/

from the article it says two step "Google’s 2-step verification makes for an interesting case study in some of the challenges that go with such a wide-scale, comprehensive deployment of strong authentication."

Again, two step authentication can make it easier while true two Factor (something I know and something I have, as long as that isn't something that can be easily taken or lost) would work.

What am I missing?

 

[iChrist]

What am I missing "Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth"? Are these not my email address and my birthdate?

Yes. Didn't you ask if they needed your date of birth?

----------

Most of you have NO idea what Internet security involves, especially for a very large, well known tech company, so quit running your mouth. For a culture that hates ignorance so much, you Americans sure are full of it!

Those of you who DO have an idea need to speak up.

Most of the security problems are caused by operator error and foolishness. Just look at the stats for the most popular ATM PINs and iOS pass codes.

How is it user error if the site allows someone to access your account with the most basic of information?

I own a security consulting business. You comment has no relevance, it is as funny as your other comments you make on this board.

 

[Premium1]

And IOS is so secure......

 

[64Mario64]

Whoops!

 

[gijoeinla]

The password reset is still going to send an email to the registered email address, and that email is going to have a unique link to click on to complete the reset and establish a new password, and the attacker would have to intercept the email to gain access, right?

Don't think so.. The two step process involves authenticating your mobile devices -- sending a text code if desired.. I found the process quite easy and makes me feel safe-r. Did my iPhone and ipad...

 

[spazzcat]

Yes. Didn't you ask if they needed your date of birth?

----------




How is it user error if the site allows someone to access your account with the most basic of information?

I own a security consulting business. You comment has no relevance, it is as funny as your other comments you make on this board.

Yes, and how is some random person going to know my birthdate?

 

[gijoeinla]

And IOS is so secure......

More like IS THIS WHOLE FRICKING INTERNET we ALL jumped into SECURE??? And whose ensuring WE are secure?

ALL of the OS face an ONSLAUGHT every FRICKING day...

This is the ONE we hear about....

Reality check.....

 

[WolfJLupus]

Apple's password "security" is often more annoying than some banks. So I'd almost call this a feature rather than a security hole.

Update: Oh ok, I though it sent it via email to user, since it actually lets you change it right then and there that's no good. =P

 

[lolkthxbai]

Well that was quick! Had to be Apple huh?

 

[petsounds]

Well, that's great. I went to enable two-step authentication on my Apple account and got this message:

You must wait 3 days to enable two-step verification.