informa
/
Vulnerabilities/Threats
Quick Hits

Apple Patches Password Reset Vulnerability

Bug wouldn't have been blocked by Apple's new two-factor iTunes authentication due to system's three-day waiting period
Apple Friday patched a serious flaw in its Apple ID security system that would have enabled an attacker to reset a target's password to a password of their own choosing.

Apple took its Apple ID "reset your password" -- a.k.a. "iForgot" -- page offline Friday after The Verge reported that a "step-by-step tutorial" had been published to the Web, detailing how to take advantage of the flaw.

While the site didn't publish a link to the tutorial, it noted that "the exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page" and providing a target's email address. The vulnerability would allow an attacker to access a person's iTunes account, iCloud email and any other sensitive data they stored in Apple's cloud.

Read full story on InformationWeek.

Post a comment to the original version of this story on InformationWeek

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5