You Are Here: Home » Industry News » Apple Password Reset Bug Allows Anyone to Hijack User Accounts

Apple Password Reset Bug Allows Anyone to Hijack User Accounts

A step-by-step tutorial showing how to change Apple ID passwords posted on the underweb has caused a massive headache to the Cupertino-based technology vendor. The tutorial has forced Apple to put the password recovery process in maintenance mode over the weekend to protect customers’ accounts.

The step-by-step account hijacking guide [the tutorial is not working anymore] reveals a gaping security hole in the screening process before a valid user is allowed to reset a password. Unlike other websites, Apple does not send a confirmation link over the web, but rather takes the user through a series of steps asking for date of birth and an answer to the pre-set security question.

Password recovery is a five-step process; upon every successful step, the password recovery application appends a parameter to the URL and sends it to the server as a GET request. It appears that the answer to the security question is not validated when it is passed as such, so a user familiar with the form of the final URL can manipulate the URL to bypass security and reach the password reset form without going through the entire process. An attacker only needs to know the victim’s date of birth – information that can be easily obtained from social networking websites or even public records.

The company took the password recovery page down immediately and issued a fix yesterday, but it is currently unknown whether the bug had already been exploited. An Apple ID compromise can have devastating effects on users, as it allows access to critical services such as iCloud (where an attacker can locate, wipe, lock the registered Apple devices or access cloud-saved documents, the e-mail account and contact list).

About The Author

E-Threat Analyst

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Number of Entries : 298

Comments (2)

  • Mark Byrn

    Apple fixed this four days and you’re just getting around to reporting it as though it’s breaking news? Try Googling ‘Apple brings password page back online after fixing security exploit’ – it’s an article that was posted on The Verge on 22 Mar.

  • Loredana Botezatu

    Thank you, Mark, for your comment. This is not breaking news; it it important news for our readers. We decided to write about it now that the exploit is no longer working.


Leave a Comment

© 2012 Powered By Bitdefender

Scroll to top