Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Thread beginning with comment 557292
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:


"ps. If you really want to get Thom's attention send him a link to the exploit in an email... Just tell him what you are going to change his password to"

That's actually what I did. The exploit I used was a bit more sophisticated than redirected form submission - it takes over control of the user session in an iframe (which is the reason it was browser dependent) and passes control to another server.

This year one of my clients was attacked with one of the most sophisticated PHP attacks I had seen to date. Malicious code was uploaded on one website through an image upload form, propagated to another website through background mirroring jobs, and exploited on that second website. The code was self obfuscating and ultimately extracted and installed a PHP trojan which was used to conduct an attack on another third party server (who accused us of hacking them).

Reply Parent Score: 2