Apple rolls out fix for password reset security hole, iForgot site back up

Apple rolls out fix for password reset security hole, iForgot site back up

Apple’s iForgot password reset page is now back online, and iMore has verified that the security hole, discovered earlier today in Apple’s password reset page, has been closed.

Previously, after providing a victim’s Apple ID and date of birth, an attacker could send a URL to Apple that would change the password for that account, without needing to answer any security questions. In response, Apple blocked access to the password reset page, and a short while later took the entire site down in light of another loophole that still allowed the attack to be performed.

This vulnerability came at an interesting time, just a day after Apple began to roll out its two-step verification system. Users who had already enrolled in the new system seem to have been immune from the password reset vulnerability.

Unfortunately some users were held in a three-day waiting period for enabling two-step verification, while others live in countries where two-step verification is not currently available.

Today’s events serve as an important example of why two-step verification is a good idea. People interested in getting two-step verification set up can find out how with iMore’s tutorial.

Update: Details on how the exploit worked can be found here.

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at POSSIBLE Mobile. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

9
loading...
0
loading...
131
loading...
0
loading...

← Previously

Speedtest.net app gets a new look, iPhone 5 support, and more

Next up →

Little Things Forever for iPhone and iPad review

Reader comments

Apple rolls out fix for password reset security hole, iForgot site back up

16 Comments

I actually think they are acting very quickly lately. The Java exploits are blocked nearly as soon as they are identified, and await Oracle updating.

iOS 6.1?
Released January 28, 2013 (54 days ago)

Since that time, 3 point release, averaging one every 18 days.
6.1.1 - 2/6/13 (9 days, 4S only/3G issue)
6.1.2 - 2/19/13 (13 days, Exchange bug)
6.1.3 - 3/19/13 (31 days, Passcode bypass)

I anticipate 6.1.4 within a week to patch the remove sim passcode bypass)

This is pretty quick for client systems. The fix today was backend, with less variables.

This is also the good thing about Apple. The lockscreen bug found in Samsung's S3 and Note 2 I believe are still unfixed. Once they are fixed they still have to be approved by carriers.

Of course Apple moved fast here, glad they did to. They needed to protect their customers' accounts and this lets people see that Apple is serious about security flaws as well. This is very good news for everyone.

Glad one less flaw in system but would be nice if there was a better way then 2 step verification since on the road I don't always have cell coverage.

If you don't have cell coverage you don't have internet so you can't login. If you have internet (wireless) and you don't have cell coverage than don't use 2 step verification.

I'm glad they are constantly on their toes for creating new security and trying to patch loop holes for security issues. Sad thing is, I cannot upgrade due to losing my precious Jailbreak. :(

Man, it seems like one Apple issue after another. You would think they would be more on their toes considering how hard the entire world watches them.

Not good that there was this bug in the first place, but like many readers, I'm glad they fixed it so quickly.