MacNN Forums (http://forums.macnn.com/)
-   Mac News (http://forums.macnn.com/mac-news/)
-   -   Apple restores 'iForgot' system, fixes password flaw (http://forums.macnn.com/112/mac-news/499147/apple-restores-iforgot-system-fixes-password/)

 
NewsPoster Mar 22, 2013 10:59 PM
Apple restores 'iForgot' system, fixes password flaw
A security flaw <a href="http://macnn.com/rd/281730==http://www.electronista.com/articles/13/03/22/two.step.verification.only.current.defense/#JB6ei254ojesZF8e.99" rel='nofollow'>exposed earlier</a> on Friday has already been fixed, just hours after it was discovered, according to Apple. The issue, which could have allowed malicious users to hijack and lock out the legitimate owners, just by knowing the email address and exact birthdate of a victim. In response, Apple temporarily took its <a href="http://macnn.com/rd/281730==http://www.electronista.com/articles/13/03/22/two.step.verification.only.current.defense/#JB6ei254ojesZF8e.99" rel='nofollow'>"iForgot" password-resetting service offline</a> while it resolved the issue.<br />
<br />
The process involved pasting a modified URL while answering the birthdate question on the password retrieval page, which allowed the attacker to reset the password. Ironically, the only defense against the vulnerability was to enable Apple's just-introduced <a href="http://macnn.com/rd/281727==http://www.macnn.com/articles/13/03/21/sends.codes.to.findy.my.iphone.sms.numbers/#TPsdT0yPGhartJZp.99" rel='nofollow'>two-step verification process</a>, which adds a PIN code requirement before changing account info. The PIN code is only accessible through Find My iPhone or a text message to a pre-registered phone number.<br />
<br />
The <a href="http://macnn.com/rd/281728==http://iforgot.apple.com" rel='nofollow'>iForgot service</a> was restored around 6:30PT after being down for approximately five and a half hours. Apple had been quick to respond to the issue, releasing a <a href="http://macnn.com/rd/281729==http://www.theverge.com/2013/3/22/4137068/apple-confirms-security-threat-working-on-fix" rel='nofollow'>statement</a> that it was aware of the problem and working on a fix shortly after iForgot was taken offline. The company's move likely prevented the exploit from being used widely -- no field reports of compromised accounts have been seen thus far.<br />
<br />
All systems are now reported to be working properly, and the vulnerability has been closed.<br />
<br />
<br />
 
All times are GMT -4. The time now is 11:03 AM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2016, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2