Apple suspends iForgot page after reports of security hole allowing unauthorized password resets

Apple has suspended the iForgot password page from its website after a report claimed that there was a security hole that allowed unauthorized password resets. The method involved manipulating a URL generated on reset of a password. Updates below.
The Verge was first to report the problem, which was then independently verified by iMore. The method was pitifully simple to use, as it required only a detailed URL which could be manipulated by simple text editing. This is less of a hack and more of a pure vulnerability. Apple was notified by many publications about the issue and is apparently working to fix the issue as the page is now down.
Screen Shot 2013 03 22 at 1.25.58 PM 730x298 Apple suspends iForgot page after reports of security hole allowing unauthorized password resets [Updated]
Apple yesterday enabled two-factor verification for passwords, which eliminates this issue for any user which had it active. But many users likely do not yet have two-factor turned on, and there are some edge cases that require people to wait up to three days before enabling it. If they had recently changed their password, for instance.
We detailed yesterday exactly how to enable two-factor authentication, so you should definitely go check that out. It prevents a host of simple hacks and issues from threatening your account security.
Update: Apple has informed The Verge that it is working on a fix for the issue, saying that “Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”

By Matthew Panzarino
Source:
http://thenextweb.com/apple/2013/03/22/apple-suspends-iforgot-password-page-after-reports-of-security-hole-allowing-unauthorized-resets/?fromcat=all

0 yorum: