According to this post, someone at Apple committed a huge security blunder, giving the password to someone’s Apple ID to a third party. How was this accomplished? Someone emailed from an email account not associated with the Apple ID, and asked for the password. Apple apparently just reset the password and emailed it to the enquirer.
I haven’t verified the claim; but even if it is false, it highlights the risks of living the cloud life. Here’s what victim Marko Karppinen emailed to Apple:
Apparently based on a single-line email inquiry, you have allowed a third party access to:
– My personal details
– My personal email
– All the files stored on my iDisk
– Everything I’ve synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
– My credit card details as stored in my Apple Store profile
– My iTunes Music Store Account
– My ADC Premier membership, including the software seed key and other assets
– The iPhone Developer Program’s Program Portal, including details of our development team
Frankly, this makes me so angry that I can’t see straight.
I have a very simple rule of thumb for whether or not a site should consider whitelisting OpenID providers: does the site offer a “forgotten password” feature that e-mails the user a login token? If it does, then the owners have already made the decision to outsource the security of their users to whoever they picked as an e-mail provider.
Let’s bear in mind too that email mostly travels through the internet as plain text, vulnerable to interception.
Thought for the day: how much of your data is protected only by a simple username/password combination, and presuming there is some, how well protected is that password itself?
I imagine Apple will be tightening up its procedures, if the incident above is confirmed, since it was easily avoidable.