Friday, March 22, 2013

Apple two-step verification uncovers password reset flaw

Apple two-step verification uncovers password reset flaw

One step forward, two steps back

Apple's new two-step verification measure is more like one step forward, two steps back, as an exploit has been uncovered for people who haven't signed up for the new feature.

The only information required to reset a person's password is the email account associated with their Apple ID and their date of birth.

The password reset also requires pasting a modified URL into the address bar, according to The Verge, but this is a simple trick to figure out.

This relatively easy password reset method means that anyone with unauthorized access to someone's email can hijack their Apple ID, iTunes, or iCloud accounts.

Apple password reset page down

Apple's two-step verification method incorporates a pin that's sent to a "trusted device" like an iPhone using the Find My iPhone app or another device using an SMS text message.

Upgrading to this extra layer of security, required for account changes and making purchases from a new Apple device, is one way to avoid having your Apple account hacked.

However, it's not that straightforward, as there's a mandatory three-day waiting period before the new two-step verification feature is enabled on an account.

In response to this, Apple has taken down its iForgot password reset page, while some users have gone to lengths such as randomly picking a new birth date.

Obviously, none of these are acceptable measures going forward. TechRadar has reached out to Apple for a comment about the security flaw and will update this story when the company responds.


Source : http://www.techradar.com/news/computing/apple/apple-two-step-verification-uncovers-password-reset-flaw-1140020

0 comments:

Post a Comment