Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557276
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

Here's the real irony: osnews.com is vulnerable to the same thing!


I have an external link that exploits an osnews web vulnerability to reset the password of a logged in user to "hacked".

Works under firefox, not ie since I didn't bother...even malware authors have to struggle around incompatibilities ;)

I'll be a nice guy and email Thom a link in private so they can confirm it and fix it ;)

Reply Score: 2

Alfman Member since:
2011-01-28

Thom,


It occurs to me that it would have been nicer still to not say anything at all in public, but I couldn't resist exposing the irony. I hope we can all have a good laugh ;)

Reply Parent Score: 2

galvanash Member since:
2006-01-25

Now that you point it out there is an obvious security issue on the account preferences page. There is a reason most such system require the user to re-enter their existing password in order to change it...

That said, osnews.com is not Apple - I think it is fair to hold them to a slightly higher standard.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

galvanash,


"Now that you point it out there is an obvious security issue on the account preferences page. There is a reason most such system require the user to re-enter their existing password in order to change it..."

Yea, there are vulnerabilities on several pages, which you can probably find if you poke around with an eye for them. I'd like to discuss them because they're common web problems, but so far they haven't responded and I feel guilty pointing them out before they're fixed. It's probably unlikely anyone will fix them before this article times out.


"That said, osnews.com is not Apple - I think it is fair to hold them to a slightly higher standard."


Haha, I've read this sentence several times now and it's not semantically clear at all which one you are holding to a higher standard ;)

Edit: Often companies are lazy at fixing both known and unknown vulnerabilities until the exploits for them are in the wild. This is probably why many security researches end up being frustrated with "proper channels" and publish their exploits, which forces companies to promptly fix their stuff. What are osnews reader's opinions on the morality of public disclosure of security vulnerabilities?

Edited 2013-04-02 01:40 UTC

Reply Parent Score: 3

Alfman Member since:
2011-01-28

Thom,
This is still not fixed, and I haven't even heard a peep from you or David in email or here. It was no april first joke, the accounts of osnews users are absolutely vulnerable.

Reply Parent Score: 2