Apple exposed a major flaw in its own iCloud security last week when it allowed a random person to call up and reset the password for Wired editor Matt Honan’s iCloud account. This gave the hacker the ability to take control and remotely wipe all of Honan’s Mac and iOS devices.
To ensure the same thing doesn’t happen again, Apple has now suspended iCloud password resets over the telephone, according to an unnamed employee speaking to Wired. This was confirmed by AppleCare:
Our Apple source’s information was corroborated by an Apple customer service representative, who told us Apple was halting all AppleID password resets by phone. The AppleCare representative shared that detail while Wired was attempting to replicate Honan’s hackers’ exploitation of Apple’s system for the second day. The attempt failed, and the representative said that the company was going through system-wide “maintenance updates” that prevented anyone from resetting any passwords over the phone.
The freeze will reportedly remain in place until Apple has determined which security policies it needs to change to prevent a repeat of this situation. “Right now, our system does not allow us to reset passwords,” the Apple rep said. “I don’t know why.”
The rep then advised Wired to call back again in 24 hours, and directed them to iforgot.apple.com, where passwords can be reset online.
It’s clear Apple has acknowledged that there is an issue with its current system, then, but it’s not clear at this point what the Cupertino company will do to rectify that. It could be that it disables password resets over the telephone altogether, forcing users to use its website. Or it could put extra security measures in place to ensure that callers are indeed the real owner of the accounts they’re attempting to access.
When Honan’s account was compromised, all the hacker needed to reset the password over the telephone was a name, email address, mailing address and the last four digits of a credit card number linked to his AppleID. Once Honan’s password reset, the hacker gained access to his iCloud account, and all of his Mac and iOS devices linked to it — which were then wiped remotely.
The account also gave the hacker access to Honan’s Google account — which was also wiped — his Twitter account, and even Gizmodo’s Twitter account, where Honan previously worked. Apple is now working with Honan in an effort to recover his data.