Responsible disclosure failed – Apple ID password reset flaw

Responsible disclosure is a double edged sword. The faustian bargain is I keep my mouth shut to give you time to fix the flaws, not ignore me. I would humbly suggest that it is very relevant to your interests when a top security researcher submits a business logic flaw to you that is trivially exploitable with just iTunes or a browser requiring no actual hacking skills.

If anyone knows anyone at Apple, please re-share or forward this post, and ask them to review my rather detailed description of my rather simple method of exploiting the Apple ID password reset system I submitted over six months ago with so far zero response beyond an automated reply. The report tracking number is #221529179 submitted August 12, 2012.

My issue should be fixed along with the other issues before they let password reset back online with my flaw intact.

Published by vanderaj

Just another security geek

Leave a comment

Your email address will not be published. Required fields are marked *