Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Permalink for comment 557290
To read all comments associated with this story, please click here.
Member since:

"That said, is not Apple - I think it is fair to hold them to a slightly higher standard."

Haha, I've read this sentence several times now and it's not semantically clear at all which one you are holding to a higher standard ;)

I meant that it seems fair to me to hold Apple to a higher standard, but point taken - I did word that poorly.

What are osnews reader's opinions on the morality of public disclosure of security vulnerabilities?

I think in this case public disclosure is more than fair - the problem is so obvious it is in fact announcing itself...

ps. If you really want to get Thom's attention send him a link to the exploit in an email... Just tell him what you are going to change his password to first ;)

Edited 2013-04-02 02:34 UTC

Reply Parent Score: 2