Amazon and Apple Remove Mobile Browsing Password Resets After Hack
Both Apple and Amazon have removed a feature on their mobile browsing websites to reset a device password, in light of a recent hack on Wired writer Mat Honan’s iCloud account, which resulted in all of his Apple products being wiped in minutes.
Reportedly hackers accessed the phone remotely by exploiting a loophole in Apple’s Applecare and Amazon’s tech support where all they needed was the account holder’s name email address and billing address, and last four digits of a registered credit card.
The hackers added a new credit card to Honan’s Amazon account then contacted the company stating that they could not access the account, and by confirming the credit card and address details they were then able to reset the password on the account.
They then went on to contact Apple and managed to pass though Honan’s security, even when they didn’t know any of the security questions, and access the account, thus wiping Honan’s iPhone, iPad, and MacBook Air remotely.
Once the quite rightly irate Honan wrote about the exploits on Wired.com, Apple and Amazon have been looking into their security processes and the first thing to change has been the over the phone password reset process.
So as a result both Amazon and Apple have blocked the ability to change passwords via phone to see how they can improve the security of these accounts.