How Apple's Password-Reset Security Breach Worked

Illustration for article titled How Apple's Password-Reset Security Breach Worked

Yesterday, The Verge uncovered a security breach that allowed malicious users to reset Apple ID passwords with nothing but an email and the user's birthday. Luckily, the process didn't leak out in full before the whole thing was patched up, but now iMore was able to reproduce the hack step by step and now it's sharing details on how the whole thing worked.


As iMore explains:

Normally the password reset process has 6 steps:
1. On, enter your Apple ID to begin the process.
2. Select an authentication method - "Answer security questions" is the one we would use.
3. Enter your date of birth.
4. Answer two security questions.
5. Enter your new password.
6. Be taken to a success page saying your password has been reset.

What should happen in a process like this is that each step can only be performed once all of the steps before it have successfully been completed. The security hole was a result of this not being properly enforced in Apple's password reset process.

It turns out that step 4, when properly completed, would generate a complex URL something along the lines of:

And while these URLs are supposed to be generated only after answering security questions, they could be effectively hacked together by performing a reset on your own password, collecting the data, and tweaking it just slightly for someone elses account, thereby letting hackers skip straight from step 3 to step 5.

The security hole is all patched up now, and there's no evidence to suggest it was ever exploited in the wild, but it's always fascinating to see how these kind of breaches work. And if you needed just one more reason to go turn on two-step verification, this ought to be it. Let's hope it's a long time before something like this pops up again. You can check out iMore to learn more about the specifics. [iMore]



Rui Andrade

Question here is, why were they sending your new password as plain text over GET? Shouldn't they have used POST instead?