Apple is reconsidering their security policies after hackers managed to exploit a hole in their password reset verification process to wipe Mat Honan's personal computer, iPad, and iPhone, hack into his email account and from there access his personal Twitter, and Gizmodo's Twitter.
On Saturday, we told you about Honan's terrifying experience of losing all of the information on his fleet of personal computers, and seeing his Twitter used to spout homophobic messages. Honan eventually figured out the hacker used Apple's option to reset a password over the phone to gain access to his account. All you need to reset someone's password is their name, address, email address and the last four digits of their credit card number.
Honan, now at Wired, and Nathan Olivarez-Giles report Apple have put a temporary freeze on the option while they figure out what to do next. Honan had a special feature activated on his computers that would let him wipe his hard drives remotely if they were ever stolen. The feature exists so that if someone were to steal your phone or computer, you could wipe your personal information and stop them from accessing your accounts. But Honan's case was the exact opposite. Thieves gained access to his accounts wiped away all of his data, instead.
Honan conceded that he should have had Google's two-pass identification option set up in an update to his original post, which would have stopped him from losing access to his email and Twitter accounts. But it wouldn't get him his computers back. "[Two-pass] wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud," he writes. The Atlantic's James Fallows thinks it's a good idea, too. So, yeah, we're going to do that right now.
This article is from the archive of our partner The Wire.