Exploit Allowed Easy Apple ID Password Reset
The Verge reported that Apple’s Apple ID iForgot password-reset page had an exploit documented in a publicly available set of instructions. The exploit required a modified URL to open the iForgot page, coupled with knowledge of a user’s email address and date of birth. (The Verge does not link to the instructions, nor do we.) Apple quickly shut down the iForgot page, and launched a version later in the day that changed the process.
One’s date of birth is unfortunately an easy bit of information to find — it’s asked for by social networking services like Facebook and Google+, and is thus often available to our online “friends” that way. (Makes you wonder if “friending” all those people you barely know was a good idea, doesn’t it?) It’s also easy to search Twitter for birthday wishes and make some educated guesses about what year a particular person was born. And that’s even before you take into account the fact that our information may already be floating around in hacker hideouts due to previous breaches of credit databases and other data stores. Date of birth information can also be obtained through cheap online identity searches.
By the end of the day after the news appeared, Apple had re-enabled iForgot, offering two paths to reset a password: either using the rescue email address specified in an Apple ID account (if that had been set) or by answering a series of security questions and answers created during account setup (or later, when Apple added this feeble validation option to all accounts).
The exploit didn’t affect users who have switched to two-factor authentication, introduced by Apple only a day earlier in a number of English-speaking countries (see “Apple Implements Two-Factor Authentication for Apple IDs,” 21 March 2013). In Apple’s two-factor system, a password can be reset only with possession of a trusted device — one that’s been verified with the Apple ID account — and the recovery key. (Loss of a password and either of those other elements renders an Apple ID account permanently unrecoverable!)
The Verge and other sites don’t explain why resetting your password would be useful to someone wanting to access your account. Surely, if the instructions to create a new password are sent to your email address, the attacker must already have your login credentials? Not necessarily.
The attacker might have found a way to read your email by stealing or gaining temporary physical access to one of your devices, or by cracking an unrelated email account to which the primary address is forwarded. In such cases, he can’t log in to any of the other services or make purchases using that email account.
But if an Apple ID account, for which the hijacker can read email, even temporarily, can have its password reset, that would enable future access to iTunes purchases, contacts and calendar events stored in iCloud, Find My iPhone tracking, and other associated data. Of course, the jig may be up the next time the account owner needs to enter the correct password and finds it doesn’t work. But by then, enough damage may have been done to be troublesome or costly.
That makes it a little peculiar that the revised iForgot page offers to send password-reset instructions to a backup email address since many people have multiple addresses set up with a single email program. If the bad guy has physical access to a device, and hasn’t just figured out to a tap into a single email account, the reset instructions would be in his grasp as well. But there is only so much that Apple can do. There must be ways to reset a password, and sending instructions via email is one reasonable path.
Frankly, the sort of exploit Apple closed is less likely to be used by an anonymous miscreant than by someone close enough to you to find out your date of birth and gain access to your email at just the right moment to receive the reset email and follow its instructions. Teenagers and young adults are probably most susceptible, given promiscuous sharing of devices and information, plus sensitive data. Can you imagine the drama of a jilted lover using this technique to track the other person via Find My iPhone?
I now use a different birthdate for each web site that requests it, and record that date I used in my 1Password comments field for that login. I also paste a record of my "security questions" and answers there, because I never answer with discoverable information. The "location you met your spouse" may be "12Nov1998-over-redWine" and the name of my first pet may be "red-1976_FordPinto." Security by obfuscation. But an encrypted reminder of what confusion I hath wrought in my 1Password file.
Good article, but I do feel that AppleIDs are run by a bunch of amateurs who do not think through the consequences of the design decisions they make.
For example, two months ago, my Mac told me that since this was the first time I had used this device with my AppleID, I had to answer the security questions to verify my identity. Odd, since I had been using that Mac with that AppleID in the same location for about 6 months.
So when I need to reset my password, and it wants a verified device to do it, what happens if it decides the device is not verified?
You also suggest that sending password-reset instructions to a backup e-mail address is a bad thing. Try going to a third world country with limited communications capabilities apart from wifi, and then having Apple spontaneously change your AppleID password with no warning. Yes, it happened to me! Being able to get the password reset via another e-mail account was the only way to get iCloud working again.
If we are to trust important parts of our lives (contacts, calendar, etc) to iCloud, it needs to be reliable and bulletproof. Continual bungling by Apple, interfering with people's accounts (especially with no notice), and a poor security track record makes me feel that something better is needed.
Because of this, I no longer trust iCloud.