The Inquirer-Home

Want a complete stranger's Apple ID?

Ask and thou shalt receive
Wed Jul 09 2008, 12:54

SUPER SECURE APPLE has dropped a clanger on one of its loyal .Mac users by handing over his password and login details to a complete stranger with a similar name.

Doesn't really bode well for the Cupertino Cabal's new Mobile Me service, does it?

We'll leave the telling of the tale to Mark Karppinen who revealed the blunder on his bog:

I tried to log in to Apple Developer Connection this morning to find out that my password had been changed and the email associated with my account was now a yahoo.com address that wasn't mine. Luckily, my "security question" was still the same, so I was able to reset the password and email address back.

Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

To which Apple reacted by doing the only reasonable thing – saying Sir, Yes Sir! and handing my account over. Here's the email I just sent Apple:

Dear ADC,

You have reset my password based on a request by someone other than me. Rather than checking if the requester was actually me by comparing the information in their personal profile, you have allowed a third party access my Apple ID for no reason whatsoever.

I tried to log in today and saw that my password had been changed, and the email address associated with my account changed to " marko.[redacted]@yahoo.com".

Apparently based on a single-line email inquiry, you have allowed a third party access to:
- My personal details
- My personal email
- All the files stored on my iDisk
- Everything I've synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
- My credit card details as stored in my Apple Store profile
- My iTunes Music Store Account
- My ADC Premier membership, including the software seed key and other assets
- The iPhone Developer Program's Program Portal, including details of our development team

Frankly, this makes me so angry that I can't see straight. Did it not occur to you at all that someone at "marko.[redacted]@yahoo.com" was not actually me? For example, because the names didn't match?

Can you even begin to appreciate the amount of work I need to do to re-secure all the information that you have compromised? How do you propose to restore confidence that I, or indeed anyone, should ever store anything confidential on your systems again?

With best regards,
Marko Karppinen

Marko notes that within a few hours of his posting this a bloke from Apple Developer Connection's European support organisation called, "apologised for the mess, and assured me that they don't normally operate this way. He promised to find out if Apple can determine, based on their logs, where and how my Apple ID was used in between the password reset and myself discovering all this about 12 hours later."

I'm sure Marko will be signing up to Mobile Me when it launches tomorrow and we wish him well with keeping his data out of the hands of synonimical [did I just make that word up... who knows?] hackers everywhere. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?