Apple's Two-Step Verification has a Bug

tatchley
tatchley
Community Member
edited March 2013 in Lounge

If you did not know already, a flaw has been found in Apple's system which allows knowledgable people to reset your password with only your email and date of birth. So currently, people should either falsify their date of birth as listed on Apple's site, or enable the authentification. Just wanted people to be aware.

Comments

  • khad
    khad
    1Password Alumni

    I guess this is one more time that never giving out my real birthday online has come in handy. In the meantime:

    The company promptly brought down its iForgot password reset tool soon after we informed them of the hack, though it isn't yet providing a timeframe on when that service will be restored.

    (via Apple confirms password vulnerability, says it's 'working on a fix')

  • charlie98
    charlie98
    Community Member

    of some importance as well

    Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand.

  • leesweet
    leesweet
    Community Member

    Did this mean they emailed you a new password, so, if you had your Gmail secured with two factor auth and a good password, you were okay, or did they offer to change the email to something new, also? Lol...

    A lot of things work well if you can make your email really secure (like with 1P random passwords and two factor...) (um, oh yeah. and random nonsense security questions... sigh....).

  • khad
    khad
    1Password Alumni

    The bug was that someone else could essentially "replay" a password reset URL. If they knew your birthday and email address, they could reset your password which would send a special URL to your email address. But since the format of the URL is not a secret, they could then craft their own to use without ever even having access to your email account. It was a pretty nasty bug.

  • leesweet
    leesweet
    Community Member

    Eek, yeah. That's a known general issue with that sort of thing. I'm surprised it made it into production. Thanks for the details!

This discussion has been closed.