HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
Loredana BOTEZATU @lbotezatu
2 Comments
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt
Industry News

Apple Password Reset Bug Allows Anyone to Hijack User Accounts

March 26, 2013
2 Min Read

A step-by-step tutorial showing how to change Apple ID passwords posted on the underweb has caused a massive headache to the Cupertino-based technology vendor. The tutorial has forced Apple to put the password recovery process in maintenance mode over the weekend to protect customers’ accounts.

The step-by-step account hijacking guide [the tutorial is not working anymore] reveals a gaping security hole in the screening process before a valid user is allowed to reset a password. Unlike other websites, Apple does not send a confirmation link over the web, but rather takes the user through a series of steps asking for date of birth and an answer to the pre-set security question.

Password recovery is a five-step process; upon every successful step, the password recovery application appends a parameter to the URL and sends it to the server as a GET request. It appears that the answer to the security question is not validated when it is passed as such, so a user familiar with the form of the final URL can manipulate the URL to bypass security and reach the password reset form without going through the entire process. An attacker only needs to know the victim’s date of birth – information that can be easily obtained from social networking websites or even public records.

The company took the password recovery page down immediately and issued a fix yesterday, but it is currently unknown whether the bug had already been exploited. An Apple ID compromise can have devastating effects on users, as it allows access to critical services such as iCloud (where an attacker can locate, wipe, lock the registered Apple devices or access cloud-saved documents, the e-mail account and contact list).

Tagsapple bug hijack ID account password reset

You may also like

Industry News

Belgian Hospital Reroutes Critical Patients after Cyberattack

3 days ago
Digital Identity • Digital Privacy • Industry News

Texas Security Technician Who Hacked Security Cams to Watch Couples Having Sex Faces 5 Years Behind Bars

3 days ago
Industry News

Hackers release over 4,000 files stolen from Scottish environment agency in ransomware attack

3 days ago

About the author

View All Posts

Loredana BOTEZATU

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

2 Comments

Click here to post a comment
  • Mark Byrn says:
    March 26, 2013 at 3:35 pm

    Apple fixed this four days and you’re just getting around to reporting it as though it’s breaking news? Try Googling ‘Apple brings password page back online after fixing security exploit’ – it’s an article that was posted on The Verge on 22 Mar.

  • Loredana Botezatu says:
    March 26, 2013 at 3:41 pm

    Thank you, Mark, for your comment. This is not breaking news; it it important news for our readers. We decided to write about it now that the exploit is no longer working.

Four in Five IT Managers Believe Employees Deliberately Disobey Security Policies
Microsoft Reveals How it Assists Global Police with Data Requests
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt

Promo

1.3m
Fans
Like
104.8k
Followers
Follow
2.7k
Subscribers
Subscribe
19
Subscribers
subscribe
1.4m
Fans Love us

Recent shouts

  • Meurig Parri on Microsoft Ends Support for Windows 7. What You Need to Know
  • Kevin on Cable Haunt vulnerability affects millions of Broadcom cable modems
  • Terry on Ransomware attack forces Arkansas CEO to fire 300 employees days before Christmas
  • Martin on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre
  • Xander on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Time Machine

January 2021
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031
« Dec    

ANTIVIRUS SOFTWARE FOR HOME USERS

Bitdefender Cybersecurity for Smart Home
Bitdefender Complete Protection
Bitdefender PC Protection
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Product Comparison

BUSINESS SOLUTIONS

Bitdefender GravityZone Business Security
Bitdefender GravityZone Advanced Business Security
Bitdefender GravityZone Enterprise Security
Bitdefender Hypervisor Introspection

TOOLS & RESOURCES

Renewal for Business Customers
Trial Downloads
Free Antivirus
Free Online Virus Scanner
Free Virus Removal Tools
Live Remote Assistance
Free Tools
Bug Bounty
Press Center

Powered by Bitdefender - a leading cyber security technology provider | Copyright © 2008 - 2016. All rights reserved.
  • Home
  • The Team
  • Terms and Conditions
  • Contact
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok