Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

[Netherscourge]

too many security issues accumulating lately

And their "patches" just open up new holes to exploit...

 

[pgiguere1]

It's fixed now.

http://www.imore.com/apple-rolls-out-fix-password-reset-security-hole-iforgot-site-back

 

[charlituna]

That breach had nothing to due with security holes in Google's system. Apple hasn't been forthright at all on iTunes account hacking over the years either.

How much of that 'hacking' was really due to server/apple fails and how much was folks having piss poor passwords, security questions you can find on their Facebook etc

----------

Well, I would love to activate the two-step verification. But it seems like some countries are once again of lower priority

Given this hole are you really upset that you aren't in round one.

----------

Security by obscurity has never worked.

Yet if they hasn't announced it to the word but simply to Apple it might have been fixed before anyone tried to sort out the full method

 

[Tech198]

lol... Apple "up-the-security", but not in all areas....

just allowing DOB and users email address is shocking security just to reset their password.

I'd also by asking the security questions/answers here too, as well the last 4 digits of card number they have on file (optional)


I'm surprise this didn't actually happen sooner. But better sooner a fix, than later.

 

[Casiotone]

lol... Apple "up-the-security", but not in all areas....

just allowing DOB and users email address is shocking security just to reset their password.

I'd also by asking the security questions/answers here too, as well the last 4 digits of card number they have on file (optional)


I'm surprise this didn't actually happen sooner. But better sooner a fix, than later.

Apple did not intentionally allow users to reset the password using just the date of birth and email. There were additional security questions after, but this hack was bypassing them.

 

[user418]

Most of you have NO idea what Internet security involves, especially for a very large, well known tech company, so quit running your mouth. For a culture that hates ignorance so much, you Americans sure are full of it!

Those of you who DO have an idea need to speak up.

Most of the security problems are caused by operator error and foolishness. Just look at the stats for the most popular ATM PINs and iOS pass codes.

You Americans........mind sharing your nationality so that one might properly address you kind sir?

 

[petsounds]

You only wait if you have a password less than 8 characters. Found the below on iMore.

Note: In order to enable two-step verification, you must have a current password that meets Apple's minimum standards of 8 characters complete with at least 1 number and 1 capital letter. If you have to change your current password in order to meet this standard, you'll have a short waiting period before you can enable two-step verification

That's not true. My password far exceeds those so-called minimum requirements.

----------

Here's the reason: Imagine you could turn on Two Factor Authentication immediately. And I happen to have found your password. So I go to the website, enter your AppleID and password, turn on Two Factor Authentication, and you have no chance ever getting back into your account.

Instead what happens is this: I enter your AppleID and password and try to turn on Two Factor Authentication. Apple sends an email to all email addresses of yours that they know. You read the emails, you figure out something is wrong, and call Apple support. Your account is safe.

Don't you also need the physical device to sync to? How would some jerkface turn on Two Factor Authentication without that? The three-day waiting period seems unnecessary.

 

[ElTorro]

One security issue after another...

 

[Fishticks]

Innovating.

 

[silvetti]

I have no option to activate 2 step authentication on my 2 accounts...

Looked everywhere :/

One account is US another one is foreign and none of them have the option under Security tab.

Anyone else with the same issue ?

 

[waveboreale]

Apple is becoming a cheese with growing holes.

 

[Badagri]

I wish retina scans and finger print devices would have been normal by now. Though, what if your eyes are badly bloodshot?

For the love of God, will people please start using password managers? Any decent one will remember all your passwords and store the fake information you put in for your mom's maiden name, pet name or any other question you are presented with.

Personally I prefer good old pen and paper/book.

 

[samcraig]

And yet they fail at it every day. My email account on google was constantly getting hacked until I put two-factor authentication on it (thank God they offered that).

That sucks. Not to throw a competitor as a comparison - but that's why a bunch of my friends and colleagues switches from yahoo to gmail.

I've been with gmail since about when it started and never had an issue. Maybe you're just really popular

 

[winston1236]

I think it's best for our security to, at once, remove our selves from the dangerous Apple ecosystem.

Yea the samsung SAFE system is probably a better choice at this point.

 

[Jamesh7953]

Holy crap. This is eye-opening. I just had a talk with my wife and we both agree that it's too dangerous on the Internet. After I post this we are throwing away our phones, computers, iPads and anything else we can find that might connect to the Internet. I also received a letter from Honda yesterday that there is a recall on my pilot for the airbag. That is just too much. We are having the pilot sent to the crusher tomorrow. My wife and I will stop at nothing to rid our lives and the lives of our children of all risks.

 

[somethingelsefl]

Is this just speculation or is there substance to this? The Verge won't mention anything other than that they "know something". I mean, I'm not saying it isn't possible...but I'm just curious if this is just a claim or if there is other eveidence that this happened.

Clearly there is a vulnerability...but is there evidence of affected users? Either way, two-step here I come.

 

[gnasher729]

That's not true. My password far exceeds those so-called minimum requirements.

----------



Don't you also need the physical device to sync to? How would some jerkface turn on Two Factor Authentication without that? The three-day waiting period seems unnecessary.

I (the hacker) have a physical device. _My_ iPhone, iPad or Mac. If I have your AppleID and password, I can get into your account from any device. Just like you can if you buy a new phone.

 

[Shin3r]

Holy crap. This is eye-opening. I just had a talk with my wife and we both agree that it's too dangerous on the Internet. After I post this we are throwing away our phones, computers, iPads and anything else we can find that might connect to the Internet. I also received a letter from Honda yesterday that there is a recall on my pilot for the airbag. That is just too much. We are having the pilot sent to the crusher tomorrow. My wife and I will stop at nothing to rid our lives and the lives of our children of all risks.

I agree, I think I may need to sell my house too. Did you know they have programs that store all that information and real estate agents have access to that? It's crazy. I love sarcasm!!

The reality is we can't be 100% safe, ever. Apple may not have been, or be the best at It, but I will give them credit for jumping on the problem as quick as they did. The Steve jobs era was not like that, they would just remain silent and not fix it for a long time. I think they are making the effort and I give them credit for that. Beyond that I have to do what I can to keep myself as safe as I can. If you absolutely can't handle that then maybe you need lifestyle changes.

What cracks me up is how most of you are complaining to the point that you have had previous knowledge of their piss poor security and still use their services. That's ALL bad on you. Fool me once kinda thing you know?

 

[Exhale]

Yet if they hasn't announced it to the word but simply to Apple it might have been fixed before anyone tried to sort out the full method

Method was already known by anyone that would want to use it. News of this sort doesn't exactly spread through tech blogs, they'll only appear there from eventually being picked up.

 

[vartanarsen]

Love how websites like MacRumiors driving Apple corporate decisions...like on the spot they tooj down the service.....bravo to social media

 

[CJK]

I wish retina scans and finger print devices would have been normal by now. Though, what if your eyes are badly bloodshot?

Anatomy isn't your strong point, I see.

 

[aerok]

One security issue after another...

Huh? Really does not happen often.

 

[iGrip]

I am looking for the "Who needs security anyway" posts. Please do not disappoint.

The only people who worry about this stuff are people who are trying to hide their wrongdoing.


You're welcome.

 

[maxosx]

What's Facebook?

I'm with you!

----------

The only people who worry about this stuff are people who are trying to hide their wrongdoing.

Dream on... denial is a wonderful thing for those who have no desire for taking personal responsibility.

 

[k1121j]

??? Secure

does this mean now all you need to do is steal a device to change the password? how is that secure