Apple password reset website – gaping hole found, fixed


Apple has had a good-bad-good-bad week of it in the computer security environment.

Cupertino released iOS 6.1.3, a modestly-sized update (at least by modern standards) of 18MByte that promised to fix a lock screen bypass bug.

Admittedly, that bug didn’t give a crook access to your whole phone or to all its data, and you had to make a phoney emergency (911) call during the exploit.

But a lock screen is supposed to be a lock screen, and so Apple did well to publish an over-the-air update, patching this and other holes, in just over a month.

It soon went pear-shaped for Apple, though, with iOS thorn-in-the-side hacker “videosdebarraquito” quickly devising a wheeze to bypass the 6.1.3 lock screen.

Once again, the attack requires a fair amount of fiddling, including popping out the SIM card; only gives access to the phone itself and your photo gallery; and won’t work if you turn voice dialling off.

But a lock screen is supposed to be a lock screen, especially if it’s the lock screen of an update that was shipped to patch a flaw in the lock screen.

Think that was a problem?

Then you might want to feel sorry for Apple, which faced even bigger woes on the authentication front this week.

Seven months ago, Apple faced a huge blast of negative publicity when a journalist lost his fruit-flavoured digital life after an attacker tricked Apple’s support staff into handing over his Apple ID password.

So, to widespread approval, including from Naked Security, Apple this week announced the introduction of a two-step verification feature for Apple ID logins.

You login as usual, then Apple SMSes you a one-time magic code which you need to type in to complete the authentication process.

Not perfect, and nowhere near as good as a standalone access token like your bank might have given you, but a definite step forward.

But then came news that Apple’s password recovery, at least for those who haven’t turned on, or don’t want to or can’t turn on, two-step verification, was deeply flawed.

For flawed, read, “Broken.”

Apparently, all you had to do was to know was your victim’s email address and date of birth, and to paste a specially-formed URL into one of the fields on Apple’s official password recovery site (the inanely-named “iForgot”).

By doing so, you could jump over the security-related part of the reset process and score a password stealer’s hole-in-one.

→ Why anyone’s date of birth should be considered a secret suitable for security purposes beggars belief. By definition, at least in the developed world, your birthday can’t be a true secret, since the law requires it to be registered officially (in plaintext, no less) within a short time of your birth. Furthermore, society actively encourages you celebrate it at least semi-publicly every year, a situation that is incommensurate with secrecy.

Whether this exploit relied on cross-site scripting (where a URL for an unofficial site is accidentally processed in the security context of a legitimate site), or command injection (where a database lookup is mistakenly processed as a command), is not clear.

Whatever the cause, Apple quickly took the iForgot page down and then brought it back up, apparently after closing the hole.

Turning on the new and much-vaunted two-step verification would have neutralised the attack, but sadly the Apple two-step isn’t yet available worldwide.

It’s only officially supported in the US, the UK, Ireland, Australia and New Zealand, and even in the UK, many users (including Naked Security’s own Graham Cluley) say that aren’t able to turn it on yet anyway.

It’s a pity that Apple announced its new security feature as though it were ready when clearly it was not.

Marketing allows for a bit of puffery, and the software industry has long relied on “pre-announcements” (less politely known as vapourware) to promote products that aren’t quite ready yet.

But let’s all agree to go easy on the vapourware-style pronouncements on security issues.

Don’t invite people to adopt new security features unless they really are ready and working precisely as claimed.

After all, it’s the early adopters in security who are your best shot at getting the rest of the world to change for the better, too…

PS. If you can turn on two-step verification, I recommended that you do, especially if you have any purchases or data tied up in iTunes, the App Store or iCloud. Two-step verification raises the bar for the crooks.