Apple's security improvements eaten by bug
@ 2013/03/28Apple's attempts to spruce up its flaccid security reputation appear to have backfired completely.
Cupertino thought that it would be a wizard wheeze to improve security on its iCloud and iTunes accounts with a new password system.
Realising that it was not much chop on security, Apple decided to copy something that Google did which sends a code to a user's mobile phone whenever they sign in from a new computer or make a purchase.
This is called two-step authentication and is supposed to stop hackers accessing private information, even if they have the password.
But the Apple flavour of the system had a flaw that at one point affected all customers who had not yet enabled the two-step feature.
If you knew a user's email address and date of birth, Apple's own tools to reset the user's password and then their Coldplay collection was yours.
All a hacker needed to do was paste in a modified URL while answering the date of birth security question on Apple's iforgot page.
A red-faced Apple has since taken down its password reset tool, which is now back up with the problem fixed.
However it did make a mess of all those who praised Apple's two-step security and claimed that it would force the likes of rivals, such as Amazon, to introduce similar technology.
Cupertino thought that it would be a wizard wheeze to improve security on its iCloud and iTunes accounts with a new password system.
Realising that it was not much chop on security, Apple decided to copy something that Google did which sends a code to a user's mobile phone whenever they sign in from a new computer or make a purchase.
This is called two-step authentication and is supposed to stop hackers accessing private information, even if they have the password.
But the Apple flavour of the system had a flaw that at one point affected all customers who had not yet enabled the two-step feature.
If you knew a user's email address and date of birth, Apple's own tools to reset the user's password and then their Coldplay collection was yours.
All a hacker needed to do was paste in a modified URL while answering the date of birth security question on Apple's iforgot page.
A red-faced Apple has since taken down its password reset tool, which is now back up with the problem fixed.
However it did make a mess of all those who praised Apple's two-step security and claimed that it would force the likes of rivals, such as Amazon, to introduce similar technology.