homepage Welcome to WebmasterWorld Guest from 54.227.56.174
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / WebmasterWorld / The Macintosh Webmaster
Forum Library, Charter, Moderators: travelin cat

The Macintosh Webmaster Forum

    
Apple ID accounts vulnerable to password reset hack
Robert Charlton




msg:4558185
 9:26 am on Mar 25, 2013 (gmt 0)

Apple ID accounts reportedly vulnerable to password reset hack, forgot password page taken offline for maintenance
(update 2: back)

engadget
Mar 22nd, 2013

[engadget.com...]

Gaping security holes are a pretty terrifying thing, especially when they involve something as sensitive as your Apple ID. Sadly it seems that immediately after making the paranoid happy by instituting two-step authentication a pretty massive flaw in Cupertino's system was discovered and first reported by The Verge. Turns out you can reset any Apple ID password with nothing more than a person's email address and date of birth -- two pieces of information that are pretty easy to come across.

In my case, there was an email from Apple connected with this, a real Apple email, so I assume this was a genuine attempt to steal something from me, like my identity....

Your Apple ID (xxxxxxxxxxxx) was used to sign in to FaceTime on an iPhone 4 named "iPhone".
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn more.

What a colossal drag this was. I don't have an Apple ID, or I didn't think I did. Deciding I shouldn't ignore this, I used the "safe" way to try to reset my password, just in case. Guess I'll have a password now, and an Apple ID.

(If you're a PC owner as I am, and have ever put any piece of Apple software on your machine, you'll understand why I didn't want an Apple ID, and I didn't want Apple to have my email address. From back in August, though, this story was reported, so I wasn't taking any chances....

Account Hack, User Speaks Out: Lessons To Learn
http://www.webmasterworld.com/foo/4482591.htm [webmasterworld.com]

Anyone have any idea what else I should check out?

 

swa66




msg:4558338
 5:02 pm on Mar 25, 2013 (gmt 0)

There's a generic problem all password based systems have: people forget their password (which was your only way to authenticate them). So you need to allow them to recover their password ... and this is much easier to attack than the front door - as you cannot authenticate them properly for obvious reasons.

Hackers know this and they'll continue to bang on the side door instead the front door. It can be used to trick any too helpful staff member with the proper rights to reset a password that should not be reset.
The latest attack reported in the press on apple was one where an outright vulnerability was discovered in their reset password website - apple took the website off line before most of us read anything about it in the media at all. And knowing apple - they'll have by now investigate each and every change made between it became known there was a problem and the time they took it offline.

Apple ID : you have one if you have an itunes account, an apple developer account, ... all those different accounts got merged into an appleID: it's simply a password associated with any email address used as identifier. It's best to have only one, or a few if you have a good reason to need more than one.
What do you get with it: syncing ability between your apple devices, access to developer tools if you sign up for it, access to pas purchases in the app stores, your itunes account (including any credit you might own), your icloud account (including "find my iphone" (or mac) and "lock my mac" (or iphone)).

The warning you get if it's being used to sign in on a device that was not previously associated with your account is actually kinda nice I find. It really only comes once for every device - even after a complete wipe of a mac it does not get sent a second time if you log in on it again.

Robert Charlton




msg:4558767
 2:18 am on Mar 27, 2013 (gmt 0)

Apple tends to nag you if you're on a PC and don't have itunes, which I don't. At first, I thought this was an Apple trick to get me to sign up. Seriously.

I did take the steps to change my password, though, going directly to the Apple site to do so... but I've not gotten a response back with a confirming link to click on... and I'm continuing to get notices that someone/something is signing into various Apple services using one of my email addresses and an iPhone which I don't have.

Again, no response from Apple, so perhaps some cause for concern that someone is playing with my account. Haven't yet found an update on the story. Reports say they've fixed it, but I'm not seeing that.

swa66




msg:4559091
 12:57 am on Mar 28, 2013 (gmt 0)

Oh it would be fun to have that: go to
[icloud.com...]
log in using your AppleID
Click on find my IPhone
click on all devices
click on the offending iphone
click lost it

There the phone now need to be returned to apple to get unlocked without knowing the pincode you get to set on it.

[if it's your phone: take care not to forget the code you set ...]

swa66




msg:4559093
 12:58 am on Mar 28, 2013 (gmt 0)

To log into your account one needs to have your login and password.

Are you sure you don't have more than one account on different email addresses ?

Robert Charlton




msg:4559133
 7:29 am on Mar 28, 2013 (gmt 0)

From what I can tell, the hack attempt, if that's what's happening, is that someone set up an account using an email address that belongs to me, and put themselves on as an additional address... using for the additional address a name similar to mine. I think the scam is they had access via that additional address, and were hoping I wouldn't notice it but that I might add or correct other private or security related information.

After changing the password and noticing the additional email address, I did remove it... hoping I did so in time that they can't access the account with that address. I also removed what I could, and left the rest the same for now. I didn't add any new info, which would have been required if I'd made changes, say, in the postal address.

I should probably go in, check the account, and then change the password again, now that they're off the account (assuming that is the case). It appears that is so... but I'm sleeping on whether to change the password for now, since I assume if they change anything further, I'll get notified. I don't believe they can change the primary email address.

Actually, I really don't want an Apple ID. The setup as it is certainly is a drag.

Robert Charlton




msg:4559136
 7:40 am on Mar 28, 2013 (gmt 0)

PS: This contained in one of my verify messages from Apple worries me, as I didn't verify the use of my address in the first place....

If you didn't do this, don't worry. Your email address cannot be used as a contact address for an Apple ID without your verification.

I'm thinking, btw, that the additional email to get more private info may be a stage two of the primary hack (that took advantage of the first Apple security flaw).

Robert Charlton




msg:4560126
 12:25 am on Apr 1, 2013 (gmt 0)

Spent too much time today on the telephone with Apple support. Got to a Senior Tech Support Supervisor, who was bright, articulate, and pretty savvy about Apple, but not so savvy about practices outside of Apple.

The gist of it is that whoever set up the account using my email address as an ID was able to get back in and change the password I had changed. I don't want to expose the details, but I think they still have a problem. I suggested they boot it up to management level... as IMO it's potentially a big issue.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / The Macintosh Webmaster
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved