Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Exploit allows Apple ID account hijack with little info [u]

Exploit allows Apple ID account hijack with little info [u]
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Mar 22, 2013, 03:49 PM
(Updated with Apple disabling the iForgot password retrieval page) A new exploit lets people hijack an Apple ID account using only an email address and someone's date of birth, says The Verge. The process involves pasting in a modified URL while answering the date of birth question on Apple's password retrieval page. Doing this lets someone reset an Apple ID's password, locking out the original owner unless they can get Apple's help.

The only remedy to the problem appears to be the two-step verification process Apple introduced just yesterday. That forces people to enter a PIN code before changing account info, and the code is only accessible through Find My iPhone or a text message to a pre-registered phone number.

As a response to the exploit, Apple has disabled the iForgot webpage, used for password recovery and retrieval. Apple has not made any public comment on this matter, or given any timetable for the page's return.
( Last edited by NewsPoster; Mar 22, 2013 at 05:01 PM. )
Mac Elite
Join Date: Oct 1999
Location: Montréal, Québec (Canada)
Status: Offline
Reply With Quote
Mar 22, 2013, 07:49 PM
like common hackers know that info... so the only people that could do it are relatives...
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Mar 22, 2013, 08:39 PM
determined and specific attack. Finding out someone's specific birthday and email address isn't hard if you know them, obviously, but if you don't know them that would take quite a bit of doing. While not meaning to suggest that this isn't a serious flaw, I suspect reports "in the wild" of such problems will be limited to pranksters within the victim's own circle of family or friends.
Charles Martin
MacNN Editor
Professional Poster
Join Date: Sep 1999
Status: Offline
Reply With Quote
Mar 22, 2013, 10:28 PM
Just look for public postings on facebook - Happy 40th birthday, Jimmy. And then guess his AppleID. It's not hard. Good on Apple for catching this quickly. Let's hope they fix it quickly.
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Privacy Policy
All times are GMT -4. The time now is 08:48 PM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2