Editorial

The war between security and convenience

News

iOS diagnostic services, their uses and protections, outline by Apple in response to 'backdoor' allegations

Editorial

Apple: No backdoors created for NSA

How to

Contacts disappearing or not syncing with iCloud under iOS 7.1.2? Here's the fix!

Apps

Apple ID two-step verification feature now available in 59 countries

How to

How to re-download movies, music, and TV shows to your Mac or PC with iTunes in the Cloud

How to

How to re-download previously purchased apps and games on iPhone and iPad

News

Apple blocking older versions of Flash after yet another security exploit

How to

How to re-download purchased books with iBooks and iTunes in the Cloud

How to

How to re-download purchased music, movies, and TV shows with iTunes in the Cloud

News

UK government set to rush through emergency surveillance legislation

News

UK officials follow US counterparts by banning electronics with no charge from boarding flights

How to

How to change the iTunes account on your iPhone or iPad

How to

How to enable automatic downloads for music, books, and apps with iTunes in the Cloud

Accessories

Apple's security lock adapter will chain your Mac Pro to your desk

News

Two-factor iCloud authentication now live

How to

How to change your Apple ID security questions on iPhone or iPad

How to

How to set up iCloud Mail, Contacts, Calendars, and more on your iPhone or iPad

How to

How to access iCloud sync settings on your Mac

How to

How to access iCloud sync settings on your Windows PC

Anatomy of the Apple ID password reset exploit

When The Verge broke news of Apple’s password reset vulnerability, they cited a step-by-step guide that detailed the process of exploiting the service. They declined to link to the source for security reasons, and rightfully so. However, now that Apple has closed the security hole the topic of how it worked and why is worth exploring.

While iMore doesn’t know what the original source was, we were able to reproduce the exploit independently. In the interest of helping people understand how they were put at risk, and allowing anybody designing their own systems to avoid similar security holes in the future, after a lot of consideration and carefully weighing the pros and cons, we have decided to detail and analyze the exploit.

Normally the password reset process has 6 steps:

  1. On iforgot.apple.com, enter your Apple ID to begin the process.
  2. Select an authentication method - “Answer security questions” is the one we would use.
  3. Enter your date of birth.
  4. Answer two security questions.
  5. Enter your new password.
  6. Be taken to a success page saying your password has been reset.

What should happen in a process like this is that each step can only be performed once all of the steps before it have successfully been completed. The security hole was a result of this not being properly enforced in Apple’s password reset process.

In step 5, when you submit your new password, a form is sent to the iForgot servers with the password change request. The form being sent takes shape as a URL that sends along all of the information needed from this last page to change your password and looks something like this:

https://iforgot.apple.com/iForgot/resetPassword.html? forceBetterPlusPasswordRules=true&password=NEWPASSWORD aolParameter=false&borderValue=true&confirmPassword NEWPASSWORD&findAccount=false&myAppleIdImageURL https%3A%2F%2Fappleid.apple.com%2Fcgi-bin%2FWebObjects%2F MyAppleId.woa%3Flocalang%3Den_US&appendingURL &urlhit=false&accountName=johnny%40apple.com

In the steps above, an attacker would be required to properly complete steps 1-3. The URL had the effect of allowing them to skip step 4, achieve step 5, and get confirmation in step 6 that they had successfully reset a user’s password. With a fix now in place, if you try this, you will get a message saying “Your request could not be completed.” and you’ll have to restart the password reset process.

The necessary URL could be acquired by walking through a normal password reset on your own Apple ID, and watching the network traffic being sent when you submitted your new password in step 5. The URL could also be constructed manually by somebody if they looked at the HTML of the password reset page to see what information the page would be submitting in the form.

When Apple initially put a maintenance message on the iForgot page to prevent users from doing a password reset, it suffered from a nearly identical problem. While you could no longer enter your Apple ID and click Next to get to step 2, if you already knew the full URL with the form info needed, you could put it into your browser and be taken right to the “Select authentication method” page.

https://iforgot.apple.com/iForgot/authenticationmethod.html? language=US-EN&defAppleId=johnny%40apple.com&urlhit=false

From here the rest of the password reset process worked as normal. Upon being made aware of this, Apple took the entire iForgot page offline.

It is still unclear if this exploit was ever used in the wild, but hopefully Apple’s response was fast enough to stop any would-be attackers. Apple also issued a statement to The Verge yesterday in response to the security hole, stating "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”, though we have yet to see any comment from them regarding how it happened or how many users may have been affected.

Update: After finding a link to the original step-by-step guide (via 9to5Mac), it appears that the original hack was slightly different, though with a similar underlying principle of modifying requests to Apple and with the same end result.

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at Double Encore. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

10
loading...
0
loading...
92
loading...
0
loading...

← Previously

iMore show 342: Mobile accomplishments

Next up →

How to accept Game Center friend requests on iPhone and iPad

There are 17 comments. Add yours.

chaitanya91845 says:

Well.. At least it was handled quickly. Don't think there could have been any significant damage.

Tewha says:

It was handled quickly once it got out that it was there, but I wonder how long it was there.

et20 says:

That's quite an amateurish mistake.
It's rather worrying.

SockRolid says:

Re: "...3. Enter your date of birth."

Never give your actual date of birth.
Just use something easy to remember: 7/7/77, 8/8/88, etc.

Re: "...4. Answer two security questions."

Never give truthful answers to the security questions.
E.g. Q: Where did you go on your honeymoon?
A: Ouagadougou, Burkina Faso.

SFCMM_Spuds says:

That's quite an amateurish mistake.
Disagree about that.
Don't think most people know how much testing goes into a OS and there is no way to test for everything or how much time it takes to fix a exploit in man hours some are simple some require major time. Am sure I wouldn't want my job to be based on who could find a fault in it and exploit it. Most of us wouldn't have jobs if that were the case. And don't think most companies strive to hire incompetent people. Unless it the government elected officials.

shinuyuki says:

Glad it was fixed soon after it was leaked. Very happy. This was done in a speedy manner. Thanks Apple and thanks iMore for telling us.

joshwyatt says:

My Apple ID was compromised a few months ago and I had no idea how it was done. I suspect this method might have been it. I did use the same password on a few other websites so it's possible they were compromised and the hacker tried the same email and password as an Apple ID — pretty good odds I'd say.

Apple's other security measures saved me, though. They are very good.

The hacker couldn't spend any of my money because if a purchase is attempted on a new device then you're required to confirm credit card details, which they couldn't do. What they did do was add a new credit card to my Apple ID (presumably stolen) and bought a few of what were presumably their own games and bought very expensive in-app purchases, probably to crank up the gross earnings of the app to rise it in the charts. They did use up a few dollars of remaining gift card credit, which I got refunded.

Thanks to Apple's email notifications of any account detail changes, I learned this within minutes and shut it down.

All-in-all, Apple has plenty of great security measures in place and I was happy with the resolution afterwards.

asuperstarr says:

Glad they got this resolved!

ame says:

Glad it was fixed and that I didn't have to deal with a reset on either account.

ronjiedotcom says:

Wish I knew of this earlier.... Kidding! Glad my account wasn't compromised and I can't wait to use Apple's 2-step verification thing.

R1cki97 says:

Well, good think they took immediately actions before something bad happened

5hea says:

Anyone else starting to feel like there's an army of apple haters out there with far too much time on their hands? What's with all the petty security holes people are digging up lately?

weiwei83921 says:

very glad that it was fixed :) :)

irepairhrvatska says:

I gave stupid answers to my 2 security questions and have them written down. So No one can break in my account. Never the less I'm glad they resolved the issue quickly.

Puakia says:

I opened one window to Apple and the other window with your instructions on how to set up two step verification. Accomplished the process in just a few minutes with no trouble. Hopefully, Apple begins to watch their backs with things like this and correct them before they happen. It would be a shame for them to get caught with their proverbial "pants" down.

phillip_u says:

Glad this was fixed quickly. Although I imagine celebrities would probably have been the most at risk as opposed to your average Joe.

Strings78 says:

Am I the only one that now worries about what other exploits may be out there that just haven't been discovered yet? For not only iOS, but also OSX?