This article originally appeared in TidBITS on 2013-03-22 at 2:01 p.m.
The permanent URL for this article is: http://tidbits.com/article/13656
Include images: Off

Exploit Allowed Easy Apple ID Password Reset

by Glenn Fleishman

The Verge reported [1] that Apple’s Apple ID iForgot [2] password-reset page had an exploit documented in a publicly available set of instructions. The exploit required a modified URL to open the iForgot page, coupled with knowledge of a user’s email address and date of birth. (The Verge does not link to the instructions, nor do we.) Apple quickly shut down the iForgot page, and launched a version later in the day that changed the process.

One’s date of birth is unfortunately an easy bit of information to find — it’s asked for by social networking services like Facebook and Google+, and is thus often available to our online “friends” that way. (Makes you wonder if “friending” all those people you barely know was a good idea, doesn’t it?) It’s also easy to search Twitter for birthday wishes and make some educated guesses about what year a particular person was born. And that’s even before you take into account the fact that our information may already be floating around in hacker hideouts due to previous breaches of credit databases and other data stores. Date of birth information can also be obtained through cheap online identity searches.

By the end of the day after the news appeared, Apple had re-enabled iForgot, offering two paths to reset a password: either using the rescue email address specified in an Apple ID account (if that had been set) or by answering a series of security questions and answers created during account setup (or later, when Apple added this feeble validation option to all accounts).

The exploit didn’t affect users who have switched to two-factor authentication, introduced by Apple only a day earlier in a number of English-speaking countries (see “Apple Implements Two-Factor Authentication for Apple IDs [3],” 21 March 2013). In Apple’s two-factor system, a password can be reset only with possession of a trusted device — one that’s been verified with the Apple ID account — and the recovery key. (Loss of a password and either of those other elements renders an Apple ID account permanently unrecoverable!)

The Verge and other sites don’t explain why resetting your password would be useful to someone wanting to access your account. Surely, if the instructions to create a new password are sent to your email address, the attacker must already have your login credentials? Not necessarily.

The attacker might have found a way to read your email by stealing or gaining temporary physical access to one of your devices, or by cracking an unrelated email account to which the primary address is forwarded. In such cases, he can’t log in to any of the other services or make purchases using that email account.

But if an Apple ID account, for which the hijacker can read email, even temporarily, can have its password reset, that would enable future access to iTunes purchases, contacts and calendar events stored in iCloud, Find My iPhone tracking, and other associated data. Of course, the jig may be up the next time the account owner needs to enter the correct password and finds it doesn’t work. But by then, enough damage may have been done to be troublesome or costly.

That makes it a little peculiar that the revised iForgot page offers to send password-reset instructions to a backup email address since many people have multiple addresses set up with a single email program. If the bad guy has physical access to a device, and hasn’t just figured out to a tap into a single email account, the reset instructions would be in his grasp as well. But there is only so much that Apple can do. There must be ways to reset a password, and sending instructions via email is one reasonable path.

Frankly, the sort of exploit Apple closed is less likely to be used by an anonymous miscreant than by someone close enough to you to find out your date of birth and gain access to your email at just the right moment to receive the reset email and follow its instructions. Teenagers and young adults are probably most susceptible, given promiscuous sharing of devices and information, plus sensitive data. Can you imagine the drama of a jilted lover using this technique to track the other person via Find My iPhone?

[1]: http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth
[2]: https://iforgot.apple.com/iForgot/iForgot.html
[3]: http://tidbits.com/article/13654