This series of articles is quickly becoming my favorite and least favorite to write: Apple security flaws. As a developer and media person who has always known Apple software was written in an incredibly lazy and insecure way, it is a lot of fun to see others realize it. As a consumer, it is incredibly disheartening to know that Apple cares so little about their customers and their security that issues like this have been come a weekly occurrence.
This week's major security flaw from the company rated #1 by JD Power again involves the incredible ease with which Apple's iCloud accounts could be hijacked. The only thing needed to reset an iCloud account password was an email address and date of birth.
While this may seem like enough information to uniquely identify an individual, it is also information available on a number of Facebook or Twitter profiles. So, with that said, the only real information needed to steal someone's information from Apple is a Facebook or Twitter profile, both of which are mostly public. This harkens back to the "game" that was going around Twitter at one point encouraging people to find their porn name, combining the street you grew up on with your mother's maiden name. A lot of people played and a lot of bank, email and other accounts were hijacked because of it.
This, however, has less to do with coordinated online phishing and more to do with Apple making it easy to change a password with information already available online. It's not like the hackers have a lot of work to do to get ahold of this information: just browse the Internet and collect it. Impressive.
Now, Apple has "patched" this flaw by requiring a 2-stage authentication system for password resets, similar to what Microsoft, Google, Facebook and others have had implemented for a while. While always late to the party, at least Apple has finally shown up.