Apple password reset website - gaping hole found, fixed

Filed Under: Apple, Data loss, Featured, Vulnerability

Apple has had a good-bad-good-bad week of it in the computer security environment.

Cupertino released iOS 6.1.3, a modestly-sized update (at least by modern standards) of 18MByte that promised to fix a lock screen bypass bug.

Admittedly, that bug didn't give a crook access to your whole phone or to all its data, and you had to make a phoney emergency (911) call during the exploit.

But a lock screen is supposed to be a lock screen, and so Apple did well to publish an over-the-air update, patching this and other holes, in just over a month.

It soon went pear-shaped for Apple, though, with iOS thorn-in-the-side hacker "videosdebarraquito" quickly devising a wheeze to bypass the 6.1.3 lock screen.

Once again, the attack requires a fair amount of fiddling, including popping out the SIM card; only gives access to the phone itself and your photo gallery; and won't work if you turn voice dialling off.

But a lock screen is supposed to be a lock screen, especially if it's the lock screen of an update that was shipped to patch a flaw in the lock screen.

Think that was a problem?

Then you might want to feel sorry for Apple, which faced even bigger woes on the authentication front this week.

Seven months ago, Apple faced a huge blast of negative publicity when a journalist lost his fruit-flavoured digital life after an attacker tricked Apple's support staff into handing over his Apple ID password.

So, to widespread approval, including from Naked Security, Apple this week announced the introduction of a two-step verification feature for Apple ID logins.

You login as usual, then Apple SMSes you a one-time magic code which you need to type in to complete the authentication process.

Not perfect, and nowhere near as good as a standalone access token like your bank might have given you, but a definite step forward.

But then came news that Apple's password recovery, at least for those who haven't turned on, or don't want to or can't turn on, two-step verification, was deeply flawed.

For flawed, read, "Broken."

Apparently, all you had to do was to know was your victim's email address and date of birth, and to paste a specially-formed URL into one of the fields on Apple's official password recovery site (the inanely-named "iForgot").

By doing so, you could jump over the security-related part of the reset process and score a password stealer's hole-in-one.

→ Why anyone's date of birth should be considered a secret suitable for security purposes beggars belief. By definition, at least in the developed world, your birthday can't be a true secret, since the law requires it to be registered officially (in plaintext, no less) within a short time of your birth. Furthermore, society actively encourages you celebrate it at least semi-publicly every year, a situation that is incommensurate with secrecy.

Whether this exploit relied on cross-site scripting (where a URL for an unofficial site is accidentally processed in the security context of a legitimate site), or command injection (where a database lookup is mistakenly processed as a command), is not clear.

Whatever the cause, Apple quickly took the iForgot page down and then brought it back up, apparently after closing the hole.

Turning on the new and much-vaunted two-step verification would have neutralised the attack, but sadly the Apple two-step isn't yet available worldwide.

It's only officially supported in the US, the UK, Ireland, Australia and New Zealand, and even in the UK, many users (including Naked Security's own Graham Cluley) say that aren't able to turn it on yet anyway.

It's a pity that Apple announced its new security feature as though it were ready when clearly it was not.

Marketing allows for a bit of puffery, and the software industry has long relied on "pre-announcements" (less politely known as vapourware) to promote products that aren't quite ready yet.

But let's all agree to go easy on the vapourware-style pronouncements on security issues.

Don't invite people to adopt new security features unless they really are ready and working precisely as claimed.

After all, it's the early adopters in security who are your best shot at getting the rest of the world to change for the better, too...

PS. If you can turn on two-step verification, I recommended that you do, especially if you have any purchases or data tied up in iTunes, the App Store or iCloud. Two-step verification raises the bar for the crooks.

, , , , , , ,

You might like

6 Responses to Apple password reset website - gaping hole found, fixed

  1. Aditya · 931 days ago

    It's iOS 6.1.3, not iOS 6.3.1

    • Paul Ducklin · 931 days ago

      Indeed it is.

      Thanks for noticing - now fixed :-)

  2. Mark · 931 days ago

    Do you have to be able to receive the 'magic SMS' every time you want to log in? What about people like me who live where there is little/no phone reception, and log in mostly over a wifi network?

  3. Michael Natale · 931 days ago

    I love Apple but cant believe how they could have screwed up so badly on this. If I look at my Facebook friends list, I know (a) all of their email addresses (which are almost certainly their Apple ID email addresses) and (b) their birthdays, because Facebook shows that info (or at least month and day) with just a little digging. If these people are ACTUAL friends I know their age, so....oops Apple.

  4. I just started the 2-step verification process: I had to: consolidate my assorted apple user accounts (, , ); create a new password to even see the 2-step-verifcation entry (this was OK as I now have a much stronger password);and Apple is enforcing a 3 day waiting period before completion of the process can occur... odd. I have to remember to come back Monday night.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog