Monday, March 25, 2013

What Impact Will Apple Password Security Hole Bring?

Huge security hole allows anyone to reset your Apple password with nothing but an email and the user's birthday!

Your Apple ID is the login you use to access iTunes and purchase music, videos, and apps. Millions of people have their credit card information tied to their Apple ID, and how this password problem security occur?
Normally the password reset process has 6 steps:
In general, there are 6 steps to reset password.
1. Enter your Apple ID to begin the process on iforgot.apple.com
2. Choose an authentication method - "Answer security questions" is the one we would use.
3. Enter your birthday.
4. Must answer two security questions.
5. Enter a new password.
6. A prompt saying your password has been reset.

As step 4 finish, a complex URL come across, they could be effectively hacked together by performing a reset on your own password, collecting the data, and tweaking it just slightly for someone else’s account, thereby letting hackers skip straight from step 3 to step 5. The new exploit affects all customers who have not yet enabled the new two-step authentication feature. To make matters worse, some users who enabled two-step authentication yesterday, have to wait 3 days before it kicks in, meaning some might still be vulnerable to the exploit.

What a terrible thing! Luckily, the process didn't leak out in full before the whole thing was revamped, and there haven't yet been reports of anyone falling victim to this flaw.



“Apple takes customer privacy very seriously,” an Apple spokesperson told AllThingsD in a statement. “We are aware of this issue, and working on a fix. Two-step verification is an even more robust process to ensure our users’ data remains protected. We are now offering our users the choice to take advantage of this additional layer of security.” If the two-step verification feature is enabled, each time you try to log-in on a new device, a security code will be sent via SMS or the Find My iPhone app available from the App Store to get in. The two-step feature can be turned on by going to the Apple ID website and enabling it via the security tab, for users in the US, UK, Australia, Ireland, and New Zealand. Users are having to wait up-to three days for the feature to be enabled.

If you haven’t enabled two-step verification to your Apple account, we strongly recommend that you do so as soon as possible.

By the way, I want to declare that anyone who uses iTunes Backup Password Recovery to unlock iTunes backup password, should adhere to the basic moral.  Don’t use this smart tool to violate the privacy of others.

No comments:

Post a Comment