Apple accused of security blunder; highlights cloud risks

According to this post, someone at Apple committed a huge security blunder, giving the password to someone’s Apple ID to a third party. How was this accomplished? Someone emailed from an email account not associated with the Apple ID, and asked for the password. Apple apparently just reset the password and emailed it to the enquirer.

I haven’t verified the claim; but even if it is false, it highlights the risks of living the cloud life. Here’s what victim Marko Karppinen emailed to Apple:

Apparently based on a single-line email inquiry, you have allowed a third party access to:
– My personal details
– My personal email
– All the files stored on my iDisk
– Everything I’ve synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
– My credit card details as stored in my Apple Store profile
– My iTunes Music Store Account
– My ADC Premier membership, including the software seed key and other assets
– The iPhone Developer Program’s Program Portal, including details of our development team

Frankly, this makes me so angry that I can’t see straight.

Simon Willison, whose blog alerted me to the incident, mentioned a few weeks ago the security problem inherent in any site which will email you a password:

I have a very simple rule of thumb for whether or not a site should consider whitelisting OpenID providers: does the site offer a “forgotten password” feature that e-mails the user a login token? If it does, then the owners have already made the decision to outsource the security of their users to whoever they picked as an e-mail provider.

Let’s bear in mind too that email mostly travels through the internet as plain text, vulnerable to interception.

Thought for the day: how much of your data is protected only by a simple username/password combination, and presuming there is some, how well protected is that password itself?

I imagine Apple will be tightening up its procedures, if the incident above is confirmed, since it was easily avoidable.

Technorati tags: ,

4 thoughts on “Apple accused of security blunder; highlights cloud risks”

  1. Um, have just tried that. Not showing up different in my newsreader (the latest ones are partial posts, but those were collected from the old RSS URL) but maybe it will when there’s a new post.

  2. @Charles

    I’ve fixed the old feed now (I think). There’s a difference, in the the old (deprecated) feed just has a single element for each item. The newer specs have both or

    elements as well as a element; this means which one you see depends on the blog reader you are using. For example, if you display the RSS2 feed directly in FireFox, you don’t see the full text even though it is there if you view source.

    I hope this is sorted now – it took disproportionate effort to change one line of code.

    Tim

Comments are closed.