Apple's security improvements eaten by bug
 

Apple's attempts to spruce up its flaccid security reputation appear to have backfired completely.

Cupertino thought that it would be a wizard wheeze to improve security on its iCloud and iTunes accounts with a new password system.

Realising that it was not much chop on security, Apple decided to copy something that Google did which sends a code to a user's mobile phone whenever they sign in from a new computer or make a purchase.

This is called two-step authentication and is supposed to stop hackers accessing private information, even if they have the password.

But the Apple flavour of the system had a flaw that at one point affected all customers who had not yet enabled the two-step feature.

If you knew a user's email address and date of birth, Apple's own tools to reset the user's password and then their Coldplay collection was yours.

All a hacker needed to do was paste in a modified URL while answering the date of birth security question on Apple's iforgot page.

A red-faced Apple has since taken down its password reset tool, which is now back up with the problem fixed.

However it did make a mess of all those who praised Apple's two-step security and claimed that it would force the likes of rivals, such as Amazon, to introduce similar technology.

http://news.techeye.net/security/app...s-eaten-by-bug