Anatomy of the Apple ID password reset exploit

When The Verge broke news of Apple’s password reset vulnerability, they cited a step-by-step guide that detailed the process of exploiting the service. They declined to link to the source for security reasons, and rightfully so. However, now that Apple has closed the security hole the topic of how it worked and why is worth exploring.

While iMore doesn’t know what the original source was, we were able to reproduce the exploit independently. In the interest of helping people understand how they were put at risk, and allowing anybody designing their own systems to avoid similar security holes in the future, after a lot of consideration and carefully weighing the pros and cons, we have decided to detail and analyze the exploit.

Normally the password reset process has 6 steps:

  1. On (opens in new tab), enter your Apple ID to begin the process.
  2. Select an authentication method - “Answer security questions” is the one we would use.
  3. Enter your date of birth.
  4. Answer two security questions.
  5. Enter your new password.
  6. Be taken to a success page saying your password has been reset.

What should happen in a process like this is that each step can only be performed once all of the steps before it have successfully been completed. The security hole was a result of this not being properly enforced in Apple’s password reset process.

In step 5, when you submit your new password, a form is sent to the iForgot servers with the password change request. The form being sent takes shape as a URL that sends along all of the information needed from this last page to change your password and looks something like this: forceBetterPlusPasswordRules=true&password=NEWPASSWORD aolParameter=false&borderValue=true&confirmPassword NEWPASSWORD&findAccount=false&myAppleIdImageURL MyAppleId.woa%3Flocalang%3Den_US&appendingURL &urlhit=false&

In the steps above, an attacker would be required to properly complete steps 1-3. The URL had the effect of allowing them to skip step 4, achieve step 5, and get confirmation in step 6 that they had successfully reset a user’s password. With a fix now in place, if you try this, you will get a message saying “Your request could not be completed.” and you’ll have to restart the password reset process.

The necessary URL could be acquired by walking through a normal password reset on your own Apple ID, and watching the network traffic being sent when you submitted your new password in step 5. The URL could also be constructed manually by somebody if they looked at the HTML of the password reset page to see what information the page would be submitting in the form.

When Apple initially put a maintenance message on the iForgot page to prevent users from doing a password reset, it suffered from a nearly identical problem. While you could no longer enter your Apple ID and click Next to get to step 2, if you already knew the full URL with the form info needed, you could put it into your browser and be taken right to the “Select authentication method” page. language=US-EN&

From here the rest of the password reset process worked as normal. Upon being made aware of this, Apple took the entire iForgot page offline.

It is still unclear if this exploit was ever used in the wild, but hopefully Apple’s response was fast enough to stop any would-be attackers. Apple also issued a statement to The Verge yesterday in response to the security hole, stating "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”, though we have yet to see any comment from them regarding how it happened or how many users may have been affected.

Update: After finding a link to the original step-by-step guide (via 9to5Mac), it appears that the original hack was slightly different, though with a similar underlying principle of modifying requests to Apple and with the same end result.

Nick Arnott
  • Well.. At least it was handled quickly. Don't think there could have been any significant damage.
  • It was handled quickly once it got out that it was there, but I wonder how long it was there.
  • That's quite an amateurish mistake.
    It's rather worrying.
  • Re: "...3. Enter your date of birth." Never give your actual date of birth.
    Just use something easy to remember: 7/7/77, 8/8/88, etc. Re: "...4. Answer two security questions." Never give truthful answers to the security questions.
    E.g. Q: Where did you go on your honeymoon?
    A: Ouagadougou, Burkina Faso.
  • That's quite an amateurish mistake.
    Disagree about that.
    Don't think most people know how much testing goes into a OS and there is no way to test for everything or how much time it takes to fix a exploit in man hours some are simple some require major time. Am sure I wouldn't want my job to be based on who could find a fault in it and exploit it. Most of us wouldn't have jobs if that were the case. And don't think most companies strive to hire incompetent people. Unless it the government elected officials.
  • Glad it was fixed soon after it was leaked. Very happy. This was done in a speedy manner. Thanks Apple and thanks iMore for telling us.
  • My Apple ID was compromised a few months ago and I had no idea how it was done. I suspect this method might have been it. I did use the same password on a few other websites so it's possible they were compromised and the hacker tried the same email and password as an Apple ID — pretty good odds I'd say. Apple's other security measures saved me, though. They are very good. The hacker couldn't spend any of my money because if a purchase is attempted on a new device then you're required to confirm credit card details, which they couldn't do. What they did do was add a new credit card to my Apple ID (presumably stolen) and bought a few of what were presumably their own games and bought very expensive in-app purchases, probably to crank up the gross earnings of the app to rise it in the charts. They did use up a few dollars of remaining gift card credit, which I got refunded. Thanks to Apple's email notifications of any account detail changes, I learned this within minutes and shut it down. All-in-all, Apple has plenty of great security measures in place and I was happy with the resolution afterwards.
  • Glad they got this resolved!
  • Glad it was fixed and that I didn't have to deal with a reset on either account.
  • Wish I knew of this earlier.... Kidding! Glad my account wasn't compromised and I can't wait to use Apple's 2-step verification thing.
  • Well, good think they took immediately actions before something bad happened
  • Anyone else starting to feel like there's an army of apple haters out there with far too much time on their hands? What's with all the petty security holes people are digging up lately?
  • very glad that it was fixed :) :)
  • I gave stupid answers to my 2 security questions and have them written down. So No one can break in my account. Never the less I'm glad they resolved the issue quickly.
  • I opened one window to Apple and the other window with your instructions on how to set up two step verification. Accomplished the process in just a few minutes with no trouble. Hopefully, Apple begins to watch their backs with things like this and correct them before they happen. It would be a shame for them to get caught with their proverbial "pants" down.
  • Glad this was fixed quickly. Although I imagine celebrities would probably have been the most at risk as opposed to your average Joe.
  • Am I the only one that now worries about what other exploits may be out there that just haven't been discovered yet? For not only iOS, but also OSX?