Apple : Apple fixes password reset security flaw, iForgot page back online |
- Apple fixes password reset security flaw, iForgot page back online
- Updated: Apple two-step verification uncovers password reset flaw
- Apple issues in-app purchase warnings to keep kids from blowing the bank
Apple fixes password reset security flaw, iForgot page back online Posted: Apple has plugged a worrying security hole that allowed an unauthorised party to change a user's Apple ID password just by using the correct email address and date of birth. The flaw, discovered on Friday, allowed hackers to send a modified URL to the company's iForgot webpage and reset a user's password without having to answer additional security questions. The company soon responded by temporarily removing the iForgot page from the web and promising it was "working on a fix." Now, less than 24 hours later, the iForgot page has been restored and the problem has been resolved, according to the iMore website which has verified that the hack is no longer active. Dancing the two-stepThe discovery of the simple work-around came just one day after Apple rolled-out the two-step verification security tool. This requires users to confirm their identity through a "trusted device" like an iPhone or iPad, whenever changes are made to their Apple ID or iCloud account. However, such was the rush to sign-up for the simpler (there's no need for security questions) and more secure account protection tool that when yesterday's problem emerged, there was a three-day queue to switch. This left those using password reset method vulnerable until Apple fixed the flaw late on Friday night. |
Updated: Apple two-step verification uncovers password reset flaw Posted: Update: Apple said that it is working to correct the Apple ID password reset exploit that was discovered earlier today and forced the company to suspend its iForgot tool. "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix," the company told The Verge in an update. No timeframe of when Apple will restore the ability to reset account passwords was attached to this short statement. Original story continues... Apple's new two-step verification measure is more like one step forward, two steps back, as an exploit has been uncovered for people who haven't signed up for the new feature. The only information required to reset a person's password is the email account associated with their Apple ID and their date of birth. The password reset also requires pasting a modified URL into the address bar, according to The Verge, but this is a simple trick to figure out. This relatively easy password reset method works whether or not someone has unauthorized access to Apple ID email account, and would allow them to hijack your Apple ID, iTunes, or iCloud accounts. Apple password reset page downApple's two-step verification method incorporates a pin that's sent to a "trusted device" like an iPhone using the Find My iPhone app or another device using an SMS text message. Upgrading to this extra layer of security, required for account changes and making purchases from a new Apple device, is one way to avoid having your Apple account hacked. However, it's not that straightforward, as there's a mandatory three-day waiting period before the new two-step verification feature is enabled on an account. In response to this, Apple has taken down its iForgot password reset page, while some users have gone to lengths such as randomly picking a new birth date. Obviously, none of these are acceptable measures going forward. TechRadar has reached out to Apple for a comment about the security flaw and will update this story when the company responds. |
Apple issues in-app purchase warnings to keep kids from blowing the bank Posted: Rather than continue to cash back to users, Apple has attempted to make perfectly clear which apps should be kept out of the reach of children if their folks aren't savvy enough to password-protect purchases. Just last week the iPhone-maker refunded the parents of an 8-year-old British boy who had blown £980 (US$1,493, AU$1,429) of very real cash on virtual donuts in the 'free' Simsons: Tapped Out game. It wasn't the first time, either. Last month, the company agreed to pay out up to $100m (UK£66m, AUD$96m) in refunds to parents in the United States whose kids had also made unsanctioned in-app purchases.S Starting today, iTunes listings for these so-called 'freemium' apps now feature an 'Offers In-App Purchases' message, which sits conveniently beneath the actual price tag. Only iTunes-based for nowThe slight page tweak, uncovered by The Guardian, is only present within the standalone iTunes client at the moment, but doesn't appear in the web-based listings or within the device-based App Store listing. However, with the majority of apps (two-thirds, in fact) being downloaded directly to iOS devices, we expect the App Store app itself to receive the same update shortly. Will it stop children knowingly or unknowingly capitalising on their parents' inability to manage a simple task like adding a password to their iTunes account or turning off in-app purchases completely? Probably not, but it's a step in the right direction. |
You are subscribed to email updates from TechRadar: All latest Apple news feeds To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google Inc., 20 West Kinzie, Chicago IL USA 60610 |
No comments:
Post a Comment