Mar 22

Apple ID accounts reportedly vulnerable to password reset hack, forgot password page taken offline for maintenance (update 2: back)

Posted in: Today's Chili

Apple ID accounts reportedly vulnerable to password reset hack, forgot password page taken offline for maintenance

Gaping security holes are a pretty terrifying thing, especially when they involve something as sensitive as your Apple ID. Sadly it seems that immediately after making the paranoid happy by instituting two-step authentication a pretty massive flaw in Cupertino’s system was discovered and first reported by The Verge. Turns out you can reset any Apple ID password with nothing more than a person’s email address and date of birth — two pieces of information that are pretty easy to come across.

There’s a little more to the hack, but it’s simple enough that even your non-tech savvy aunt or uncle could do it. After entering the target email address in the password reset form you can then select to answer security questions to validate your identity. The first task will be to enter a date of birth. If you enter that correctly then paste a particular URL into the address bar (which we will not be publishing for obvious reasons), press enter, then — voilà — instant password reset! Or, at least that’s the story. While we were attempting to verify these claims Apple took down the password reset page for “maintenance.” Though we’ve received no official confirmation from Apple, it seems the company is moving swiftly to shut down this particularly troublesome workaround before word of it spreads too far.

Update: We’ve heard back from Apple on the matter, which stated, “Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.” No real surprises that a fix is in the works, but there you have it from the horse’s mouth.

Update 2: The forgotten password page is back as of late Friday evening — that was (relatively) quick. iMore reports (and we’ve verified ourselves) that the security hole is now closed.

Filed under: ,

Comments

Source: The Verge, iMore

No Comments | Tags: , , , , , , ,
Aug 07

Amazon, Apple stop taking key account changes over the phone after identity breach

Posted in: Today's Chili

Amazon Kindle Store on iPad

By now, you may have heard the story of the identity ‘hack’ perpetrated against Wired journalist Mat Honan. Using easily obtained data, an anonymous duo bluffed its way into changing his Amazon account, then his Apple iCloud account, then his Google account and ultimately the real target, Twitter. Both Amazon and Apple were docked for how easy it was to modify an account over the phone — and, in close succession, have both put at least a momentary lockdown on the changes that led to Honan losing much of his digital presence and some irreplaceable photos. His own publication has reportedly confirmed a policy change at Amazon that prevents over-the-phone account changes. Apple hasn’t been as direct about what’s going on, but Wired believes there’s been a 24-hour hold on phone-based Apple ID password resets while the company marshals its resources and decides how much extra strictness is required.

Neither company has said much about the issue. Amazon has been silent, while Apple claims that some of its existing procedures weren’t followed properly, regardless of any rules it might need to mend. However the companies address the problem, this is one of those moments where the lesson learned is more important than the outcome. Folks: if your accounts and your personal data matter to you, use truly secure passwords and back up your content. While Honan hints that he may have put at least some of the pieces back together, not everyone gets that second chance.

Filed under:

Amazon, Apple stop taking key account changes over the phone after identity breach originally appeared on Engadget on Tue, 07 Aug 2012 23:40:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceWired (1), (2)  | Email this | Comments

No Comments | Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,