
Security hole allows Apple passwords to be reset with only email, date of birth - rkudeshi
http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth
======
jpxxx
Extraordinarily bad news. The damage that can be done with an Apple ID is
limitless, including CC leaks, physical address, instant remote wipes of
phones and Macs, you name it.

This had better be Apple's priority zero today.

Edit: When a critical hole is discovered in a system that manages the identity
of the 400M wealthiest people on Earth, I'd expect this story to be ranking a
little higher than page three on HN.

~~~
rm999
>When a critical hole is discovered in a system that manages the identity of
the 400M wealthiest people on Earth, I'd expect this story to be ranking a
little higher than page three on HN.

Apple has disabled password reset, so at least they've managed to control the
exploit before it got out of hand.

------
danso
So has there been a recent change to the Apple.com homepage? I ask this before
going on an unfounded rant here...but it is __*king aggravating trying to
figure out where you're supposed to even login to your account on the Apple
home page. I wanted to see if this exploit worked on my account but literally
could not find the login area...I had to randomly click through the help docs
until it took me to the "iforgot.apple.com". The only time I saw an evident
"My Account" link is by clicking on the Store tab, and even then you have to
notice that the top-right corner nav has changed to include an "Account" link.

I recently had to report my iPod stolen to the cops. It's a testament to both
how often cops have to deal with stolen iDevices and how confusing the Apple
homepage is, that I had to have the cop walk me through how to login to my
account on the Apple homepage to get to the device information he needed.

The domains apple.com, store.apple.com, secure2.store.apple.com (which you go
to after you've logged in), and iforgot.apple.com all seem to use different
templates, sometimes even different metrics and external code files. I wonder
how much of what seems to be a unified storefront is actually a bunch of
balkanized subdomains?

~~~
jpxxx
The Apple ID/iTunes/iCloud edifice has always been messy, yes, but I believe
appleid.apple.com has always been the account management page. They've never
had login UI on most pages.

