It's possible to get private AppleID informations
| Originator: | julien | ||
| Number: | rdar://11008967 | Date Originated: | 08-Mar-2012 09:35 AM |
| Status: | Open | Resolved: | |
| Product: | iCloud | Product Version: | n/a |
| Classification: | Security | Reproducible: | Yes |
Summary: It's possible to get access to an Apple ID account without entering login informations and without having informations of the hacked account. Steps to Reproduce: 1. Login to you apple id account. (Computer 1 using foo@me.com) For example using the following address. https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/73/wa/directToSignIn?wosid=T64HfDhj3zq4iZ4q1yLpx0&localang=fr_FR 2. Send the address to an other computer (I used iMessage to send it). Adresse: https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/73/wo/T64HfDhj3zq4iZ4q1yLpx0/2.0.29.145.1 3. On the computer 2, click on the sent link (https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/73/wo/T64HfDhj3zq4iZ4q1yLpx0/2.0.29.145.1) Remove the Apple ID and connect using an other Apple ID. (computer 2 using bar@me.com) 4. On the computer 1 click on Preferences On apple Id account. (https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/73/wo/T64HfDhj3zq4iZ4q1yLpx0/4.0.29.145.7.9.0?menuOption=EditContactPreferences) Expected Results: The computer 1 should still be connected to foo@me.com Actual Results: The computer 1 is connected with bar@me.com! Regression: Notes: - If the computer 2 disconnect of his AppleID, the computer 1 with also be disconnected. - Tested on safari
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!