The idea for this article came from the security e-mail inbox here at The Tech Herald. The e-mail contained a link to tech site Ars Technica, which had the story of Marko Karppinen and his Apple Developer Connection (ADC) account password. It would seem that Marko’s account was turned over to someone with a short grasp of English, or a Lolcat. Apple has since apologized for the incident, but considering the safeguards Apple uses -- normally uses -- this shouldn’t have happened.
It\'s scary to imagine, but you have to wonder if "I can haz passwurd now?" would have worked just as well. (IMG:J.Anderson)
Marko blogged about the incident, which is how Apple found out, and posted the details of the e-mail communication that led to his ADC account being turned over to someone other than him.
“I tried to log in to Apple Developer Connection this morning to find out that my password had been changed and the email associated with my account was now a yahoo.com address that wasn't mine,” he explained.
Now, the security question used for the account, which is needed for password resets, was still the same. So Marko reset his password, and accessed his account. What he discovered is both comical and frightening.
“Based on the emails that have appeared in my .Mac mailbox, [the password was reset] by sending this classy one-liner to Apple: “am forget my password of mac, did you give me password on new email marko.[redacted]@yahoo.com” To which Apple reacted by doing the only reasonable thing – saying “Sir, Yes Sir!” and handing my account over.”
Anyone who has seen images of Lolcats would pick up on the pattern of speech. Who knew that when the cats finally moved to take over the world, they would start with ADC accounts?
The matter is humorous, or rather humorous after the fact, only because Marko got his account back under his control. In reality this is serious. Apple released his account on the basis of an e-mail. They handed over personal information, iDisk files, address book information, anything Marko would have synched to his .MAC, and credit details thanks to this information being stored on Marko’s Apple Store profile, and more. Remember, the person who sent the e-mail and set up the fake Yahoo e-mail had access to all of Marko’s ADC account.
"Frankly, this makes me so angry that I can't see straight. Did it not occur to you at all that someone at "marko.[redacted]@yahoo.com" was not actually me? For example, because the names didn't match?" Wrote Marko in an angry letter to Apple shortly after the issue was discovered. "Can you even begin to appreciate the amount of work I need to do to re-secure all the information that you have compromised? How do you propose to restore confidence that I, or indeed anyone, should ever store anything confidential on your systems again?."
Hours after Marko posted his story to the world via his online blog, a team lead from Apple Developer Connection's European support organization called to apologize. The person apologized for the overall security breach, and assured him that “…they don't normally operate this way.”
Apple is said to be looking into the matter, which Marko hopes will lead to logs detailing exactly how his account was used, but there has been no new information.
Marko has posted an e-mail from Apple containing its response to the password request. You can read it by clicking HERE.
View blog reactions
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)