Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


   Exploit Allows Easy Apple ID Password Reset

   Glenn Fleishman

   The Verge [1]reports that the Apple ID's [2]iForget password-reset page
   has an exploit documented in a publicly available set of instructions.
   The exploit requires use of a modified URL to open the page, coupled
   with knowledge of a user's email address and date of birth. (The Verge
   does not link to such instructions and nor do we.)

   Most of our dates of birth may already be floating around in hacker
   hideouts (or more publicly) due to previous breaches of personal-credit
   and other databases. It can also be obtained through a cheap online
   identity search. Apple quickly shut down the password-reset page, which
   remains unavailable at this writing.

   The exploit doesn't affect users who have switched to two-factor
   authentication, introduced by Apple yesterday in several countries (see
   '[3]Apple Implements Two-Factor Authentication for Apple IDs,' 21 March
   2013). In Apple's two-factor system, one can reset a password without
   knowing the password only with possession of a trusted device ' one
   that's been verified with the Apple ID account 'and the recovery key.
   (Loss of either of those elements and the password render an Apple ID
   account permanently unrecoverable!)

   The Verge and other sites don't explain why a password reset would be
   useful. Surely, if someone can receive the instructions to create a new
   password that party already has the user's credentials for logging in?
   But that's quite it.

   A cracker might find a way to read a user's email by stealing or
   gaining temporary physical access to a device, or by cracking an
   unrelated email account to which the primary address is forwarded. In
   such cases, a malicious user can't log in to any of the other services
   or make purchases using that email.

   But if a ne'er-do-well can force a reset to an account to which he or
   she has access, that allows access to iTunes purchases, contacts stored
   in iCloud, and other associated data.

References

   1. http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth
   2. https://iforgot.apple.com/iForgot/iForgot.html
   3. http://tidbits.com/article/13654

.