Risk
3/25/2013
11:21 AM
50%
50%

Apple Patches Password Reset Vulnerability

Bug wouldn't have been blocked by Apple's new two-factor iTunes authentication due to system's three-day waiting period.

Apple Friday patched a serious flaw in its Apple ID security system that would have enabled an attacker to reset a target's password to a password of their own choosing.

Apple took its Apple ID "reset your password" -- a.k.a. "iForgot" -- page offline Friday after The Verge reported that a "step-by-step tutorial" had been published to the Web, detailing how to take advantage of the flaw.

While the site didn't publish a link to the tutorial, it noted that "the exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page" and providing a target's email address. The vulnerability would allow an attacker to access a person's iTunes account, iCloud email and any other sensitive data they stored in Apple's cloud.

Apple Friday confirmed the vulnerability in a statement to The Verge. "Apple takes customer privacy very seriously," it said. "We are aware of this issue and working on a fix." By later Friday, according to the Apple system status page, the password-reset feature had been restored.

[ Security fixes are becoming more commonplace for Apple. Read Apple Fixes iOS Lock Bypass. ]

The password-reset flaw was spotted just one day after Apple debuted a new two-step authentication system for Apple IDs. Such a system would help prevent the sort of "life hack attack" used to compromise journalist Mat Honan last year, after an attacker phoned up Apple's support line and pretended to be Honan, then reset Honan's password to arbitrary one of their own choosing.

"Seven months ago, Apple faced a huge blast of negative publicity when a journalist lost his fruit-flavored digital life after an attacker tricked Apple's support staff into handing over his Apple ID password," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

Enter two-factor authentication, Apple-style. "You log in as usual, then Apple SMSes you a one-time magic code which you need to type in to complete the authentication process," said Ducklin. "Not perfect, and nowhere near as good as a standalone access token like your bank might have given you, but a definite step forward."

So far, two-step verification appears to be available for only some users in the United States, Australia, Ireland, New Zealand and the United Kingdom.

But Apple's new two-step authentication system requires a three-day cooling-off period, meaning that even if a user activated it Thursday, it wouldn't have blocked attacks using the vulnerability that came to light Friday. "This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification," explains Apple's two-step set-up page.

Apple's iForgot fix followed the company issuing a raft of security updates Tuesday, including iOS 6.1.3, which patched a lock screen bypassing bug.

By Wednesday, however, an iPhone hacker known as "videosdebarraquito" posted a video to YouTube demonstrating a technique for bypassing the lock screen on iOS 6.1.3, which involves having physical access to a device and being able to remove the SIM card. Until Apple issues a new fix, the vulnerability can be mitigated by deactivating the iPhone's "Voice Dial" feature, which uses Siri voice recognition.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?