The Mac Security Blog

Apple

Apple’s iForgot Page Updated to Fix Vulnerability

Posted on by

More password-related excitement from Apple! It was a very busy week: iOS 6.1.3 fixed a passcode flaw, and almost immediately, another passcode flaw was found in that new version. Apple ID added 2-Factor Authentication, and then it was discovered that any accounts that had not implemented this new authentication were vulnerable to an exploit that would potentially give an attacker access to that account with minimal information. Shortly after hearing this news, Apple disabled the password reset functionality, but it was found that this too left users vulnerable to a similar problem. At that point, they took the iForgot page down entirely.

The iForgot password-reset required six steps to completely validate a user, but after entering only a user’s email and birthdate, it would generate a URL that would allow an attacker to access their account. This bypassed additional verification, such as answering security questions.

If you’ve ever wondered why security researchers get twitchy about people putting their birthdate on social networking sites, this is a good example of why. Few pieces of information by themselves are necessarily useful on their own, but the more information that’s easily available for you, the more tempting of a target you are. It’s not difficult to gather this information for most people if someone is suitably motivated to dig it up, but people who voluntarily provide this information in one location are the ever-tempting “low-hanging fruit.”

Another solution to problems like these is much like the strategy of answering security questions with nonsensical information. For many sites, you can use not your actual birthdate but another date in the same month. Of course, this does mean you have to remember an additional date.

At the time of writing, Apple has fixed this flaw and we can all breathe freely. It’s unclear whether this was used in the wild, but if you would like more peace of mind, you may wish to change your password. And now’s a good time to add that 2-Factor Authentication if it’s available in your area!