Is Apple losing its touch? Major security hole allowed hackers to easily reset passwords to Apple accounts using iForgot

create_new_password_screen_iforgot

There was a time when Apple products were popularly recognized as being secure. Or at least more secure than the competition. For example, for the longest time Mac OS X was synonymous with “doesn’t get viruses” (which, of course, has never been true — malware makers just never targeted Macs in the past). Now, Mac OS X malware after malware are appearing in-the-wild such as the most recent Pintsized.A that bypassed Mac’s native Gateskeeper security measure.

The story is similar with Apple’s iOS. Reports after reports point to malware apps targeting Android but, due to Apple’s strict control over apps that run on iDevices, there aren’t really many malware apps on iOS. And the ones that do exist target people who jailbreak to purposefully bypass restrictions Apple has put in place. However, iOS itself has been hit with one security vulnerability after another after the launch of iOS 6 due to poor Apple programming, such as the vulnerability that allows bypass of lock screen (which has now been fixed but a new vulnerability has taken its place).

Now there is confirmation that Apple’s iForgot password reset tool — the tool that allows people with Apple accounts (Apple ID, iCloud, etc.) to reset their forgotten password — has (had) a vulnerability that allows scumbags to fairly easily reset an Apple account password using just the associated email address and date of birth.

The hack involves manipulating the URL of an iForgot page while at the date of birth page in iForgot. If successfully done, the hacker is prompted to reset the password to the account in question by entering a new password.

Thankfully, Apple confirmed the hack when reports emerged earlier today and took down iForgot. iForgot is now back up, presumably meaning Apple has fixed the issue. And people who enabled Apple’s new two-step authentication were safe from this hack anyway. Still, however: Apple products have been known to “just work” and don’t have the security issues that plague the competition. This appears to changing, slowly but surely.

[via The Verge]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

5 comments

  1. John

    It’s true that the 1980s Macs had the first replicating virus’ for any personal computers. The Mac OS today contains no code from the 1980’s versions – counting them as meaningful is just ignorant on your part. It isn’t the word “Mac” that provides the security. LOL. That word is UNIX. Since 2001 with OS X, there are no real viruses and only a handful of mainly phishing type malware (via Java and Adobe Flash) available for the Mac. Contrast that to Windows with its hundreds of thousands of real viruses and malware and backdoors. Why are Mac users not exploited more? The Mac demographic is more lucrative, so why so few attacks? Obscurity? Ha! Someone wrote a virus for hacked iPods running Linux – now that is obscure – a virus made to attack a few hundred users with jailbroken iPods. There should be at least several hundred viruses for Mac OS X – but after 12 years only a dozen or so malware’s – and they only show up one at a time? Wow, there is no myth here. The fact is that Mac users are much, much safer from attack than Windows users. Neither Apple nor any Mac expert has ever made a claim that Macs are “invulnerable”. Still, it would be quite an honor for some hacker to get the bragging rights for being the first to create a real, self-replicating, attacking, viral security threat for Mac OS X. We’ve been waiting for 12 years now. What’s the problem? UNIX is very secure?

  2. mukhi

    completely agree with Naveed and Mags. apple has always been showing security through obscurity. now that apple devices are very popular (many are switching from PC to mac, blackberry to iphone…), isystems are suffering from multiple attacks.

  3. Mags

    [@Naveed] “Apple was never “secure” That is so true.

    I first learned to use a computer on the Original Macintosh, and yes, it had to be scanned for viruses, as they were around even then and were aimed at Macs because they were the main PCs in use at that time. I’m talking mid to late 80’s here.

  4. Naveed

    Apple was never “secure”. In a browser hack challenge some years ago safari came last, even worse than IE. It was more security by obscurity then anything else. And it wasn’t worthwhile for hackers to hack apple, due to it’s small market share. Now that the market share is higher it’s worth having.