There was a time when Apple products were popularly recognized as being secure. Or at least more secure than the competition. For example, for the longest time Mac OS X was synonymous with “doesn’t get viruses” (which, of course, has never been true — malware makers just never targeted Macs in the past). Now, Mac OS X malware after malware are appearing in-the-wild such as the most recent Pintsized.A that bypassed Mac’s native Gateskeeper security measure.
The story is similar with Apple’s iOS. Reports after reports point to malware apps targeting Android but, due to Apple’s strict control over apps that run on iDevices, there aren’t really many malware apps on iOS. And the ones that do exist target people who jailbreak to purposefully bypass restrictions Apple has put in place. However, iOS itself has been hit with one security vulnerability after another after the launch of iOS 6 due to poor Apple programming, such as the vulnerability that allows bypass of lock screen (which has now been fixed but a new vulnerability has taken its place).
Now there is confirmation that Apple’s iForgot password reset tool — the tool that allows people with Apple accounts (Apple ID, iCloud, etc.) to reset their forgotten password — has (had) a vulnerability that allows scumbags to fairly easily reset an Apple account password using just the associated email address and date of birth.
The hack involves manipulating the URL of an iForgot page while at the date of birth page in iForgot. If successfully done, the hacker is prompted to reset the password to the account in question by entering a new password.
Thankfully, Apple confirmed the hack when reports emerged earlier today and took down iForgot. iForgot is now back up, presumably meaning Apple has fixed the issue. And people who enabled Apple’s new two-step authentication were safe from this hack anyway. Still, however: Apple products have been known to “just work” and don’t have the security issues that plague the competition. This appears to changing, slowly but surely.
[via The Verge]