Dumb Apple Mistake Allowed Account Hijacks
Apple's iPod Touch, iPad and iPhone 4.
Although Apple has spent a good deal of time and effort patching security vulnerabilities over the last few weeks, its audience keeps finding new ones. Apple has already squashed its latest potentially troublesome exploit, but not before locking users out of a potentially system-saving update.
The problem concerned Apple's iForgot service, which allows users to reset forgotten passwords, prompting them only for an e
-mail address and a date of birth. Normally, Apple requires users to provide the answers to two security questions after this, which involve hard-to-guess personal details.
However, by stopping the page loading midway through, exploiters could access an authentication URL. A few short modifications allowed the hackers to bypass the security questions altogether. From here, changing a user's password and accessing anything in his or her account, from financial information to billing addresses, would be easy.
An unauthorized password change is problematic enough on its own, but exploiters could then activate Apple's two-step verification process (introduced only last week), effectively locking a legitimate user out of his or her own account. Briefly, two-step verification allows users to require both a password and a separate confirmation code each time they make a purchase in iTunes or the App Store.
Apple attempted to address this issue by implementing a three-day waiting period before enabling the two-step safeguard. This proved problematic, however, as it effectively gave exploiters a three-day window to reset passwords. [See also: Five Apple Security Myths and the Hard Truths]
While iForgot went offline for a while as Apple addressed the security issue, it is now up and running again, minus the URL vulnerability. Now that its initial missteps are over, Apple's two-step verifications should make purchases more secure, but its security track record has been all over the map recently. As usual, the best course of action is to secure your devices to the best of your ability, and hope for the best.