This afternoon I received an e-mail:
Subject: We’re Unable to Reset Your Apple Password
Date: Tue, 21 Nov 2006 02:55:15 +0000 (GMT)
Dear alec muffett,
We apologize but we were unable to verify your account information with the answers you provided to our security questions.
Because too many invalid attempts were made to answer these questions, you will not be able to reset your password for the next 8 hours.
If you need further assistance, please visit:
…which perplexed me mightily, because I have not touched my Apple Store account for several weeks. Therefore there is only one conclusion that could be drawn: someone is trying to hack into my Apple Store account to retreive my credit card details. It can’t be an accident, it’s not like my name is particularly common, or that many people with that name would share my birthday.
But that shouldn’t be possible, right?
Well, it turns out that it is possible.
You see, it used to be that if you wanted to change your Apple ID password, you would receive an e-mail which looked like:
(example from 2004)
Date: Wed, 21 Apr 2004 14:11:45 +0000 (GMT)
Subject: How to Reset Your Apple Password
Dear Alec Muffett,
To reset your Apple password, please click on the link below or copy and paste the address onto your web browser’s address window. Once you’re on the web page, you will be instructed to enter and confirm your new password.
Please note that this link will expire 3 hours from the time it was sent.
If you require further assistance in resetting your password, please visit:
Thank you for contacting Apple.
…but no more.
It now appears that the dialogue merely requires you to answer your “security question” for password recovery, typically some pievce of trivia, which in association with your month and year of birth will be all that is necessary to retreive your credit card numbers and billing address.
The confirmatory e-mail and requirement to click on a password-change confirmation link has been rescinded, so unless your “password recovery” question is really really obscure, then knowing your birthdate someone can trivially get at your details and mess around, possibly stealing stuff off of your account and billing it to you.
I know this works, because I just tried it on myself as a proof-of-concept.
This is a dreadful situation, and I implore Apple to reinstate the extra HTTP security check at soonest opportunity.
If you have an Apple ID and you want to check how easy it is to change your password without any requirement for external authentication, go to http://store.apple.com/ and click on Sign in or create your own personal account.
Then click Did you forget your password? Click here for assistance.
A pop-up window will be created; either enter your Apple ID directly, or click on the Forgot your Apple ID? button which will accept any recent e-mail address of an Apple customer.
Then try guessing, or supply the answer to the Security Question. If you manage it, you can set a new password and Voila! you have access to your patsy’s credit card details.
Tell your friends: This sucks. Randomise the answer to your security question immediately, and store that answer in a safe place.
And complain to Apple. Hell, this is an old hack, it’s not far removed from the way Paris Hilton had her phone hacked. A company like Apple should be beyond this sort of thing, even in the name of usability.
UPDATE: For those who want to walk through the dialogue – or who for local circumstances or cookies will not be able to reproduce it – I’ve snapshotted the whole thing here; I reckon the only things which saved me from being ripped-off are that:
- My cat is not a single colour
- I lied about the colour anyway, and chose something different
- I almost never save my credit details with a vendor
But I am paranoid. Lots of people are not.
…but if you guess right, you 0wn the user’s account.