Apple Password Reset Bug Allows Anyone to Hijack User Accounts

A step-by-step tutorial showing how to change Apple ID passwords posted on the underweb has caused a massive headache to the Cupertino-based technology vendor. The tutorial has forced Apple to put the password recovery process in maintenance mode over the weekend to protect customers’ accounts.

The step-by-step account hijacking guide [the tutorial is not working anymore] reveals a gaping security hole in the screening process before a valid user is allowed to reset a password. Unlike other websites, Apple does not send a confirmation link over the web, but rather takes the user through a series of steps asking for date of birth and an answer to the pre-set security question.

Password recovery is a five-step process; upon every successful step, the password recovery application appends a parameter to the URL and sends it to the server as a GET request. It appears that the answer to the security question is not validated when it is passed as such, so a user familiar with the form of the final URL can manipulate the URL to bypass security and reach the password reset form without going through the entire process. An attacker only needs to know the victim’s date of birth – information that can be easily obtained from social networking websites or even public records.

The company took the password recovery page down immediately and issued a fix yesterday, but it is currently unknown whether the bug had already been exploited. An Apple ID compromise can have devastating effects on users, as it allows access to critical services such as iCloud (where an attacker can locate, wipe, lock the registered Apple devices or access cloud-saved documents, the e-mail account and contact list).