Risk
3/25/2013
11:21 AM
50%
50%

Apple Patches Password Reset Vulnerability

Bug wouldn't have been blocked by Apple's new two-factor iTunes authentication due to system's three-day waiting period.

Apple Friday patched a serious flaw in its Apple ID security system that would have enabled an attacker to reset a target's password to a password of their own choosing.

Apple took its Apple ID "reset your password" -- a.k.a. "iForgot" -- page offline Friday after The Verge reported that a "step-by-step tutorial" had been published to the Web, detailing how to take advantage of the flaw.

While the site didn't publish a link to the tutorial, it noted that "the exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page" and providing a target's email address. The vulnerability would allow an attacker to access a person's iTunes account, iCloud email and any other sensitive data they stored in Apple's cloud.

Apple Friday confirmed the vulnerability in a statement to The Verge. "Apple takes customer privacy very seriously," it said. "We are aware of this issue and working on a fix." By later Friday, according to the Apple system status page, the password-reset feature had been restored.

[ Security fixes are becoming more commonplace for Apple. Read Apple Fixes iOS Lock Bypass. ]

The password-reset flaw was spotted just one day after Apple debuted a new two-step authentication system for Apple IDs. Such a system would help prevent the sort of "life hack attack" used to compromise journalist Mat Honan last year, after an attacker phoned up Apple's support line and pretended to be Honan, then reset Honan's password to arbitrary one of their own choosing.

"Seven months ago, Apple faced a huge blast of negative publicity when a journalist lost his fruit-flavored digital life after an attacker tricked Apple's support staff into handing over his Apple ID password," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Enter two-factor authentication, Apple-style. "You log in as usual, then Apple SMSes you a one-time magic code which you need to type in to complete the authentication process," said Ducklin. "Not perfect, and nowhere near as good as a standalone access token like your bank might have given you, but a definite step forward."

So far, two-step verification appears to be available for only some users in the United States, Australia, Ireland, New Zealand and the United Kingdom.

But Apple's new two-step authentication system requires a three-day cooling-off period, meaning that even if a user activated it Thursday, it wouldn't have blocked attacks using the vulnerability that came to light Friday. "This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification," explains Apple's two-step set-up page.

Apple's iForgot fix followed the company issuing a raft of security updates Tuesday, including iOS 6.1.3, which patched a lock screen bypassing bug.

By Wednesday, however, an iPhone hacker known as "videosdebarraquito" posted a video to YouTube demonstrating a technique for bypassing the lock screen on iOS 6.1.3, which involves having physical access to a device and being able to remove the SIM card. Until Apple issues a new fix, the vulnerability can be mitigated by deactivating the iPhone's "Voice Dial" feature, which uses Siri voice recognition.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

CVE-2014-7880
Published: 2014-12-17
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

CVE-2014-8133
Published: 2014-12-17
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.