NEWS - March 25, 2013
by Carol~ - 3/25/13 7:47 AM
Apple suspends password resets after critical account-hijack bug is found (Updated)
"Using DOB and a modified URL, attackers could reportedly take control of accounts."
Update: Apple restored the password resets on Friday night.
Apple suspended the password-reset functionality for its iCloud and iTunes services following a published report that hackers could exploit it to hijack other people's accounts.
The password reset page stopped loading a few hours after The Verge reported there was an online tutorial that provided detailed instructions for taking unauthorized control of Apple accounts. The report didn't identify the website or the precise technique, except to say it involved "pasting in a modified URL while answering the DOB security question on Apple's iForgot page."
"It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand," reporter Chris Welch wrote. "Out of security concerns, we will not be linking to the website in question."
A few hours later, the news site published a separate post quoting Apple officials as saying they were "aware of the issue, and working on a fix."
Continued : http://arstechnica.com/security/2013/03/apple-suspends-password-resets-after-critical-account-hijack-bug-is-found/
Apple Takes Tool offline After New Security Hole Surfaces
Apple Suspends iForgot Password Reset Page to Patch Security Hole
Apple pulls iForgot password recovery system over security bug