Using DOB and a modified URL, attackers could reportedly take control of accounts.
Apple suspended the password-reset functionality for its iCloud and iTunes services following a published report that hackers could exploit it to hijack other people's accounts.
The password reset page stopped loading a few hours after The Verge reported there was an online tutorial that provided detailed instructions for taking unauthorized control of Apple accounts. The report didn't identify the website or the precise technique, except to say it involved "pasting in a modified URL while answering the DOB security question on Apple's iForgot page."
"It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand," reporter Chris Welch wrote. "Out of security concerns, we will not be linking to the website in question."
A few hours later, the news site published a separate post quoting Apple officials as saying they were "aware of the issue, and working on a fix."
Those who had already enrolled in the two-factor authentication protection Apple unveiled on Thursday were reportedly safe from the exploit. Those who hadn't signed up were presumably vulnerable if an attacker knew their birthdate. Given the common practice of disclosing birthdays on Facebook and other social media, the information needed to exploit the flaw was widely available for many iCloud and iTunes users. Complicating matters, according to The Verge, two-factor authentication still isn't available to people outside of the US, UK, Australia, Ireland, and New Zealand.
Apple should be commended for acting so quickly to suspend password resets after the flaw became public. As Wired reporter Mat Honan learned first hand, losing control of an iCloud account and precipitate a cascading series of compromises that can wipe out years of photos, e-mails, and other digital assets.
No comments:
Post a Comment