Risk
3/25/2013
11:21 AM
50%
50%

Apple Patches Password Reset Vulnerability

Bug wouldn't have been blocked by Apple's new two-factor iTunes authentication due to system's three-day waiting period.

Apple Friday patched a serious flaw in its Apple ID security system that would have enabled an attacker to reset a target's password to a password of their own choosing.

Apple took its Apple ID "reset your password" -- a.k.a. "iForgot" -- page offline Friday after The Verge reported that a "step-by-step tutorial" had been published to the Web, detailing how to take advantage of the flaw.

While the site didn't publish a link to the tutorial, it noted that "the exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page" and providing a target's email address. The vulnerability would allow an attacker to access a person's iTunes account, iCloud email and any other sensitive data they stored in Apple's cloud.

Apple Friday confirmed the vulnerability in a statement to The Verge. "Apple takes customer privacy very seriously," it said. "We are aware of this issue and working on a fix." By later Friday, according to the Apple system status page, the password-reset feature had been restored.

[ Security fixes are becoming more commonplace for Apple. Read Apple Fixes iOS Lock Bypass. ]

The password-reset flaw was spotted just one day after Apple debuted a new two-step authentication system for Apple IDs. Such a system would help prevent the sort of "life hack attack" used to compromise journalist Mat Honan last year, after an attacker phoned up Apple's support line and pretended to be Honan, then reset Honan's password to arbitrary one of their own choosing.

"Seven months ago, Apple faced a huge blast of negative publicity when a journalist lost his fruit-flavored digital life after an attacker tricked Apple's support staff into handing over his Apple ID password," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Enter two-factor authentication, Apple-style. "You log in as usual, then Apple SMSes you a one-time magic code which you need to type in to complete the authentication process," said Ducklin. "Not perfect, and nowhere near as good as a standalone access token like your bank might have given you, but a definite step forward."

So far, two-step verification appears to be available for only some users in the United States, Australia, Ireland, New Zealand and the United Kingdom.

But Apple's new two-step authentication system requires a three-day cooling-off period, meaning that even if a user activated it Thursday, it wouldn't have blocked attacks using the vulnerability that came to light Friday. "This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification," explains Apple's two-step set-up page.

Apple's iForgot fix followed the company issuing a raft of security updates Tuesday, including iOS 6.1.3, which patched a lock screen bypassing bug.

By Wednesday, however, an iPhone hacker known as "videosdebarraquito" posted a video to YouTube demonstrating a technique for bypassing the lock screen on iOS 6.1.3, which involves having physical access to a device and being able to remove the SIM card. Until Apple issues a new fix, the vulnerability can be mitigated by deactivating the iPhone's "Voice Dial" feature, which uses Siri voice recognition.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5075
Published: 2014-12-27
Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5.0 Korean Trial allows local users to cause a denial of service (memory corruption and panic) via a crafted IOCTL_ASWFW_COMM_PIDINFO_RESULTS DeviceIoControl request to \\.\aswFW.

CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2011-4722
Published: 2014-12-27
Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2012-1302
Published: 2014-12-27
Multiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ammap.swf, or (3) the data_file parameter to amtimeline.swf.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.