Posted by: David Harley | March 23, 2013

Apple and authentication: another glitch

The Verge yesterday reported that “Major security hole allows Apple passwords to be reset with only email address, date of birth” which pretty much sums up the story, except that the 4th update to the story indicates that the vulnerability has been fixed. It’s worth noting that the exploit apparently didn’t work where Apple’s new two-factor authentication was enabled. Unfortunately, it turns out that the sign-up process for that also has some problems: some people have been told that they can’t sign up for three days. (Tested and confirmed by Sophos.)

So, as Paul Ducklin also pointed out in the Sophos blog, it’s been something of a “good-bad-good-bad week” for Apple, security-wise.

Hat tip to Anders Nilsson for drawing my attention to the issue.

David Harley 
Small Blue-Green World
ESET Senior Research Fellow

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: