Risk
3/25/2013
11:21 AM
Connect Directly
RSS
E-Mail
50%
50%

Apple Patches Password Reset Vulnerability

Bug wouldn't have been blocked by Apple's new two-factor iTunes authentication due to system's three-day waiting period.

Apple Friday patched a serious flaw in its Apple ID security system that would have enabled an attacker to reset a target's password to a password of their own choosing.

Apple took its Apple ID "reset your password" -- a.k.a. "iForgot" -- page offline Friday after The Verge reported that a "step-by-step tutorial" had been published to the Web, detailing how to take advantage of the flaw.

While the site didn't publish a link to the tutorial, it noted that "the exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page" and providing a target's email address. The vulnerability would allow an attacker to access a person's iTunes account, iCloud email and any other sensitive data they stored in Apple's cloud.

Apple Friday confirmed the vulnerability in a statement to The Verge. "Apple takes customer privacy very seriously," it said. "We are aware of this issue and working on a fix." By later Friday, according to the Apple system status page, the password-reset feature had been restored.

[ Security fixes are becoming more commonplace for Apple. Read Apple Fixes iOS Lock Bypass. ]

The password-reset flaw was spotted just one day after Apple debuted a new two-step authentication system for Apple IDs. Such a system would help prevent the sort of "life hack attack" used to compromise journalist Mat Honan last year, after an attacker phoned up Apple's support line and pretended to be Honan, then reset Honan's password to arbitrary one of their own choosing.

"Seven months ago, Apple faced a huge blast of negative publicity when a journalist lost his fruit-flavored digital life after an attacker tricked Apple's support staff into handing over his Apple ID password," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Enter two-factor authentication, Apple-style. "You log in as usual, then Apple SMSes you a one-time magic code which you need to type in to complete the authentication process," said Ducklin. "Not perfect, and nowhere near as good as a standalone access token like your bank might have given you, but a definite step forward."

So far, two-step verification appears to be available for only some users in the United States, Australia, Ireland, New Zealand and the United Kingdom.

But Apple's new two-step authentication system requires a three-day cooling-off period, meaning that even if a user activated it Thursday, it wouldn't have blocked attacks using the vulnerability that came to light Friday. "This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification," explains Apple's two-step set-up page.

Apple's iForgot fix followed the company issuing a raft of security updates Tuesday, including iOS 6.1.3, which patched a lock screen bypassing bug.

By Wednesday, however, an iPhone hacker known as "videosdebarraquito" posted a video to YouTube demonstrating a technique for bypassing the lock screen on iOS 6.1.3, which involves having physical access to a device and being able to remove the SIM card. Until Apple issues a new fix, the vulnerability can be mitigated by deactivating the iPhone's "Voice Dial" feature, which uses Siri voice recognition.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5316
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.

CVE-2014-5320
Published: 2014-09-21
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.

CVE-2014-5321
Published: 2014-09-21
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319...

CVE-2014-5322
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.

CVE-2014-6602
Published: 2014-09-21
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.

Best of the Web
Dark Reading Radio