Saturday, March 23, 2013

New Apple Security Exploit Lets Someone Reset Your Password

"That was easy..."
UPDATE: Apple's password-reset system currently appears to be down.

An Apple account exploit allows anyone with your email address and date of birth to reset your Apple ID and iCloud account password.

First reported by The Verge, the exploit uses Apple’s own tools to break into accounts, using a modified URL and entering someone’s date of birth of Apple’s iForgot page. Directions on how to take advantage of the vulnerability were published in a step-by-step tutorial.

On Thursday, Apple launched two-step verification for Apple ID and iCloud account passwords. When set up, two-step verification would prevent someone from using the vulnerability to access accounts.

Much like the two-step verification process for other services, Apple's two-step-verification verifies your identity when your account is accessed from a new device.

Verification is done using another one of your devices, such as your iPhone. For instance, if you buy a new computer and sign into iCloud on it, Apple will send a numerical code to your iPhone via text message. You take the numerical code sent to your phone, and enter it into your computer to verify you are in fact who you say you are.

You can, and should, set up two-step verification on your Apple accounts now.

No comments:

Post a Comment