According to this post, someone at Apple committed a huge security blunder, giving the password to someone’s Apple ID to a third party. How was this accomplished? Someone emailed from an email account not associated with the Apple ID, and asked for the password. Apple apparently just reset the password and emailed it to the enquirer.
I haven’t verified the claim; but even if it is false, it highlights the risks of living the cloud life. Here’s what victim Marko Karppinen emailed to Apple:
Apparently based on a single-line email inquiry, you have allowed a third party access to:
– My personal details
– My personal email
– All the files stored on my iDisk
– Everything I’ve synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
– My credit card details as stored in my Apple Store profile
– My iTunes Music Store Account
– My ADC Premier membership, including the software seed key and other assets
– The iPhone Developer Program’s Program Portal, including details of our development team
Frankly, this makes me so angry that I can’t see straight.
Simon Willison, whose blog alerted me to the incident, mentioned a few weeks ago the security problem inherent in any site which will email you a password:
I have a very simple rule of thumb for whether or not a site should consider whitelisting OpenID providers: does the site offer a “forgotten password” feature that e-mails the user a login token? If it does, then the owners have already made the decision to outsource the security of their users to whoever they picked as an e-mail provider.
Let’s bear in mind too that email mostly travels through the internet as plain text, vulnerable to interception.
Thought for the day: how much of your data is protected only by a simple username/password combination, and presuming there is some, how well protected is that password itself?
I imagine Apple will be tightening up its procedures, if the incident above is confirmed, since it was easily avoidable.
4 thoughts on “Apple accused of security blunder; highlights cloud risks”
Your RSS feed is missing all the HTML formatting – no para breaks, and no links either! I’m still seeing it (at http://www.itwriting.com/blog/rss.php) but it’s borked. Any thoughts?
I’m trying to fix this; but I recommend that you change the feed to:
which will most likely work OK.
Thanks for letting me know.
Um, have just tried that. Not showing up different in my newsreader (the latest ones are partial posts, but those were collected from the old RSS URL) but maybe it will when there’s a new post.
I’ve fixed the old feed now (I think). There’s a difference, in the the old (deprecated) feed just has a single
element for each item. The newer specs have both or
I hope this is sorted now – it took disproportionate effort to change one line of code.
Comments are closed.