Apple’s new two-step verification process has already been put to the test, thanks to a (now apparently offline) exploit that allows anyone with your email address and birthday to reset your Apple ID. The Verge confirmed the exploit after the site was made aware of a tutorial posted on a Chinese-language hacking site. The hack involves pasting a modified URL while answering the question about the account’s date of birth info.
The Verge did further exploration on the hack and found that accounts that were told they needed to wait three days to enable the two-step verification are also vulnerable to the exploit. The only way to change it for those in the waiting period is for people to change their birthdays in their Apple profile.
Apple’s password reset tool is in maintenance status right now, which means there’s no way to use the exploit. Chances are it will remain offline until Apple gets this hole patched.
Apple maintains its Product Security page, including a contact email, to allow users, researchers or media organizations to notify the company of emergent security issues and concerns.
Update: Apple has confirmed the exploit to The Verge and says it is working on a fix.
Exploit (now offline) allowed bogus reset of Apple ID passwords (updated) originally appeared on TUAW – The Unofficial Apple Weblog on Fri, 22 Mar 2013 17:22:00 EST. Please see our terms for use of feeds.
Source | Permalink | Email this | Comments