back to article Apple pulls iForgot password recovery system over security bug

Don't get too hammered this Friday night in case you wake up to find you've forgotten your Apple password, as Cupertino has been forced to pull down its iForget service due to an embarrassing new security flaw. This was supposed to be a good week for Apple on the security front. On Tuesday the company fixed a password-bypass …

COMMENTS

This topic is closed for new posts.
  1. jubtastic1
    WTF?

    This is almost as bad as that 1-2-3 stupidity

    A fraction harder to exploit because you need the victims birthdate, but essentially the same level of carelessness / ineptitude.

    You're holding doing it wrong.

    1. Anonymous Coward
      Anonymous Coward

      Love it

      It's now open season on Fanbois, but the irony is that the comments are being made by Fandroids who still have no idea that their Android phone is full of malware, adware and diallers hidden away in the Apps on their phones.

      May they live in blissful ignorance.

      1. Anonymous Coward
        Anonymous Coward

        Re: Love it

        "but the irony is that the comments are being made by Fandroids who still have no idea that their Android phone is full of malware, adware and diallers hidden away in the Apps on their phones"

        I've got to say it's some of the most respectful malware, adware and diallers I've not known about having. Not a single CPU cycle wasted, no effect on the battery and not a single bill increase. It's almost as if it wasn't even there.

        If you weren't a fanboi I'd suspect you worked for an AV company with FUD like that.

        1. Anonymous Coward
          Anonymous Coward

          Re: FUD

          Except, try as you might to cast iOS security in a bad light, it's not FUD. This is a repost but it's wholly relevant to that statement.

          Over 51% of Android devices need patching against exploits. Over 79% mobile malware targets Android.

          iOS - less than 1%.

          No one is denying the latest and most patched version of Android will be reasonably secure and you will tend not to get malware if you only go to trusted sources. That was always the case for Windows too BTW. The problem is Android license policy is such that there are far too many insecure unpatched carrier devices out there:

          http://www.abs-cbnnews.com/business/03/08/13/android-rises-top-malware-threats-survey

          http://www.dazeinfo.com/2012/09/17/malware-attack-on-android-platform/

          1. Anonymous Coward
            Anonymous Coward

            Re: FUD

            "try as you might to cast iOS security in a bad light"

            You've just discredited yourself as a fanboi troll. Answer me this, who in reply to your post has even mentioned iOS except you? The original poster is talking about the oversight that caused this vulnerability and not iOS itself.

            If you'd bother to read a few sources, or even the ones you linked, you'd know that almost all Android malware is installed by users being duped and have nothing to do with the security of the OS itself. From your first link: "One of these, called Eurograbber, came as a PC virus but tricked users into installing a version on their mobile device"

          2. Steve Davies 3 Silver badge

            The other problem with Android

            is that manufacturers are really loathe to release security updates for anything but their latest 'shiny-shiny' toy.

            Samsung are still selling phones with Android 2.3 installed. Are there any security updates? Are there heck.

            Until the manufacturers take updates more seriously then I will keep using my Nokia 6310.

            I guess that this is the price of having no walled garden. Sometimes it seems that the Apple way isn't far wrong. Now I'll get downvoted into oblivion for saying that but before you do please consider what I'm trying to say. Android device makers are really reluctant to release security updates to phones that are not currently being sold with their latest version of Android installed.

            1. Anonymous Coward
              Anonymous Coward

              Re: The other problem with Android

              Well I hope you won't get downvoted to oblivion - you at least have a point other than "Android sux init".

              I agree that OS upgrade cycles are a big problem - although I don't personally see this as an Android problem but a device/manufacturer problem. You can't blame Microsoft for a Dell PC running Windows XP.

              As well as being a developer and geek who likes to tinker, this is the reason I've always bought the Nexus line of phones. I think the only way I would switch is if manufacturers gave some guaranteed commitment to updates, something along the lines of: we will keep this device up-to-date for 2 years from <date> and will ensure updates are released within 3 months of the source drop from Google. Obviously, this will never happen.

      2. Toothpick
        Meh

        Re: Love it

        It'a ALWAYS open season on fanbois on here.

      3. jubtastic1
        Mushroom

        Re: Love it

        That's right, I'm a fandroid, the whole mac user thing I've been peddling in the comments for the last 7 years was all an elaborate set up.

        YFM

        /sent from my iPad

  2. Rukario
    Pint

    "When news of the bug broke, some of the more – ahem – excitable members of the anti-Apple movement pointed out that the only way to get around the flaw was to use Cupertino's new two-factor security system"

    Where's my popcorn icon?

    <- Still it's Friday night, here anyway.

  3. Bob Vistakin
    Facepalm

    Their quaint little legacy phones continue to excite and amaze.

    It's the superior Apple user experience, stupid. Nanny says so.

  4. Anonymous Coward
    Anonymous Coward

    Sorry to all the exciteable fandroids

    but it's been fixed

    1. Mike H.

      Re: Sorry to all the exciteable fandroids

      again?

    2. Anonymous Coward
      Anonymous Coward

      Re: Sorry to all the exciteable fandroids

      It's a shame they can't fix their fanboys.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sorry to all the exciteable fandroids

        I think they have. None of them seem to be able to father children. On the other hand, that might be because they can't get dates (of the unpaid kind).

  5. Anonymous Coward
    Anonymous Coward

    We really are at the mercy of crappy programmers now...

    ...and there are so many of them about. It's frightening.

    I just know this was coded up by some twentysomething lanky T-shirt wearing know-it-all with a pube-like wispy beard who still has no idea what he did wrong, but is as cocky as hell about working at Apple because it makes him 'special'.

    1. 404

      Re: We really are at the mercy of crappy programmers now...

      Whew! I ^hate^ those kind of folks!*

      :|

      *it's ok, I'm EOH ->Equal Opportunity Hater, club motto: 'Arse is not a color, race, gender, sexual orientation, religion... etc'

    2. Pete Spicer
      Alert

      Re: We really are at the mercy of crappy programmers now...

      I sort of take exception to this - but in the very best of British, stiff upper lipped way! I'm a twenty-something programmer, wear t-shirts and am pretty well bearded, though I'm only just a twenty-something (not for much longer, sadly), t-shirt wearing and so on, but I gotta say, the crowd of people who develop with more than a passing care for security seems to get increasingly lower as time goes on. People don't care about security all the time it affects their convenience.

      I'm in that awkward situation where everything I do is in PHP, and before anyone whines too much about how PHP is the devil and it eats your children or something, the sad truth is that the crapfest that is PHP is pretty much everywhere and it can't hurt to have someone who does have *some* idea about security running around in the camp. Too many times I've had to deal with people who want <feature X> added to their site but don't care about any of the security implications or anything else. Yes, of course I want to downgrade password security from salted SHA-256 to unsalted MD5 to integrate with your other crappy app. Right after I run out of thermal underwear at Satan's winter ski lodge.

      Anyway, as you were.

      1. John H Woods Silver badge

        Re: We really are at the mercy of crappy programmers now...

        Pete Spicer: "People don't care about security all the time it affects their convenience"

        I sort-of understand how this happens in some applications, but this is a fracking Password Reset application. The PRIMARY function is security related - this is not adding <feature X> to an application.

        This isn't just a (ludicrous) coding failure - this is a failure of testing, and indeed management. We are at the mercy of "crappy everyone" and the buck stops at management. They will blame the coder - not the people who hired him, the people who managed him, the people who reviewed his code, the people who tested his work and the people who signed it off for production. All of them have failed in their jobs as much as the coder, and it shows a total disregard for user security.

        To then say "We take customer privacy very seriously" seems to me to almost be the equivalent of saying "we know X is very important but we have no idea how to do it"

        1. DJO Silver badge

          Re: We really are at the mercy of crappy programmers now...

          If I read the article correctly the app allowed a URL in a date (of birth) entry box. Any programmer who would allow a non-date as a valid entry on such a critical system should not be allowed within 100 yards of a keyboard. Checking that inputs are valid for the expected datatype and does not have any sneaky embedded SQL or similar scripty type stuff, is so trivial that forgetting it is inexcusable.

  6. Not That Andrew

    Isn't this the same flaw that a Wired journo was boo-hooing all over the internet over last year?

    1. chris lively
      Facepalm

      No

      That one required you to actually call apple with 4 digits of your cc number. This one is just a web page asking for info publicly available on your fb page. Apparently there's a difference.

      I agree with the guy saying there are too many idiots doing programming. I've yet to see someone coming out of college that has any idea about proper security. However they ALL seem to have the idea that its impossible to make good software.

      I've beat god knows how many of those idiots up the side of their head due to the crap they put out. In many cases taking control of their twitter or fb accounts to prove the point while training them. In our rush to get programmers no one has bothered to give them a decent level of training. I don't care if you wrote a multi user operating system that actually half assed worked to graduate. If the code you put out for simple web sites has SQL injections then your professors failed; if you don't even know what that is then you failed.

      Can we please get a standards body in place to limit which of these winners can call themselves a "programmer"?

  7. Alan Denman

    the flaw has been there for years?

    seems to me it was becoming common knowledge amongst a few hackers but hacks percentage increased of recent..

    They are just having a 'last fling'.

  8. Mike Bell

    Move along now. Nothing to see here.

    If various reports are to be believed, the security flaw in said Apple website was plugged, and the site brought back online after a few hours.

    http://www.imore.com/apple-rolls-out-fix-password-reset-security-hole-iforgot-site-back

  9. Velv
    Trollface

    Troll Season

    OK, so we all like a good laugh. Schadenfreude is such fun. And it's easy to think you're big if you can troll.

    Right kiddies, time for a lesson:

    There are lots of Apple devices out there - I know because I have one. There are lots more Android devices out there - I have some of those too. They BOTH have flaws. I DON'T TRUST EITHER OF THEM

    It's worse than the Muslims and the Christians on here - "my imaginary friend is better than your imaginary friend". ffs

    Right, off for an El Reg bacon buttie until someone takes that bait :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Troll Season

      "off for an El Reg bacon buttie until someone takes that bait"

      Since you're going, I'm feeling a little peckish myself.

This topic is closed for new posts.

Other stories you might like