Huge Security Flaw Allowed Apple ID Passwords To Be Reset with Email Address and DOB
If there's one thing that goes hand-in-hand with technology, it's security flaws. Rarely, though, are such flaws actual features, such as one Apple just had to rush to patch up. Late last week, the company rolled-out two-step verification, where a pin code sent to your mobile phone could be used in conjunction with a regular password to amp-up the level of security on your account. This is a great move, and one that I'd like to see more companies adopt. However, with this new feature came a ridiculous oversight.
If you knew someone who had an Apple account, and also happened to know their e-mail and date-of-birth, you had everything required to reset their account password. Yes, really. Those two bits of information is all that would have been needed to take over the account, which in turn could allow someone to discover the user's personal info, such as address, phone number and of course, purchase history. Almost surprisingly, there haven't yet been reports of anyone falling victim to this flaw, with Apple's super-quick action to thank.
While this flaw was discovered and subsequently patched quickly, the fact that the original implementation made it through to begin with is mind-boggling. Someone had to design the mechanism, completely overlooking the fatal flaw, and then others would review it and likewise overlook it. For a company with as many customers as it has, it seems a little foolish to let such a simple, yet major, issue like this creep out.