Posted by: David Harley | March 23, 2013

Apple and authentication: another glitch

The Verge yesterday reported that “Major security hole allows Apple passwords to be reset with only email address, date of birth” which pretty much sums up the story, except that the 4th update to the story indicates that the vulnerability has been fixed. It’s worth noting that the exploit apparently didn’t work where Apple’s new two-factor authentication was enabled. Unfortunately, it turns out that the sign-up process for that also has some problems: some people have been told that they can’t sign up for three days. (Tested and confirmed by Sophos.)

So, as Paul Ducklin also pointed out in the Sophos blog, it’s been something of a “good-bad-good-bad week” for Apple, security-wise.

Hat tip to Anders Nilsson for drawing my attention to the issue.

David Harley 
Small Blue-Green World
ESET Senior Research Fellow


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: