Risk
3/25/2013
11:21 AM
Connect Directly
RSS
E-Mail
50%
50%

Apple Patches Password Reset Vulnerability

Bug wouldn't have been blocked by Apple's new two-factor iTunes authentication due to system's three-day waiting period.

Apple Friday patched a serious flaw in its Apple ID security system that would have enabled an attacker to reset a target's password to a password of their own choosing.

Apple took its Apple ID "reset your password" -- a.k.a. "iForgot" -- page offline Friday after The Verge reported that a "step-by-step tutorial" had been published to the Web, detailing how to take advantage of the flaw.

While the site didn't publish a link to the tutorial, it noted that "the exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page" and providing a target's email address. The vulnerability would allow an attacker to access a person's iTunes account, iCloud email and any other sensitive data they stored in Apple's cloud.

Apple Friday confirmed the vulnerability in a statement to The Verge. "Apple takes customer privacy very seriously," it said. "We are aware of this issue and working on a fix." By later Friday, according to the Apple system status page, the password-reset feature had been restored.

[ Security fixes are becoming more commonplace for Apple. Read Apple Fixes iOS Lock Bypass. ]

The password-reset flaw was spotted just one day after Apple debuted a new two-step authentication system for Apple IDs. Such a system would help prevent the sort of "life hack attack" used to compromise journalist Mat Honan last year, after an attacker phoned up Apple's support line and pretended to be Honan, then reset Honan's password to arbitrary one of their own choosing.

"Seven months ago, Apple faced a huge blast of negative publicity when a journalist lost his fruit-flavored digital life after an attacker tricked Apple's support staff into handing over his Apple ID password," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Enter two-factor authentication, Apple-style. "You log in as usual, then Apple SMSes you a one-time magic code which you need to type in to complete the authentication process," said Ducklin. "Not perfect, and nowhere near as good as a standalone access token like your bank might have given you, but a definite step forward."

So far, two-step verification appears to be available for only some users in the United States, Australia, Ireland, New Zealand and the United Kingdom.

But Apple's new two-step authentication system requires a three-day cooling-off period, meaning that even if a user activated it Thursday, it wouldn't have blocked attacks using the vulnerability that came to light Friday. "This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification," explains Apple's two-step set-up page.

Apple's iForgot fix followed the company issuing a raft of security updates Tuesday, including iOS 6.1.3, which patched a lock screen bypassing bug.

By Wednesday, however, an iPhone hacker known as "videosdebarraquito" posted a video to YouTube demonstrating a technique for bypassing the lock screen on iOS 6.1.3, which involves having physical access to a device and being able to remove the SIM card. Until Apple issues a new fix, the vulnerability can be mitigated by deactivating the iPhone's "Voice Dial" feature, which uses Siri voice recognition.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.