OS X: iCloud Users have ability to reset Active Directory mobile accounts remotely.
| Originator: | eriknicolasgomez | ||
| Number: | rdar://21488304 | Date Originated: | 22-Jun-2015 01:31 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | OS X 10.9.5 and higher |
| Classification: | Security | Reproducible: | Always |
Summary: If a user connects to iCloud, they can then reset AD mobile accounts remotely. This can lead to these potential issues: 1. User forgets AD password, resets account and is no longer in sync with the server. 2. If a malicious user gains access to the Apple ID, they can use it to unlock all accounts on machine remotely. 3. User can change password of other users on machine. Steps to Reproduce: 1. User signs into iCloud on a AD bound machine 2a. Reset password through icloud.com 2b. Reset password of any account on machine through System Preferences Expected Results: iCloud should not be able to reset passwords for mobile accounts. Actual Results: iCloud can currently reset passwords for mobile accounts. Regression: Notes:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!