For those worried, this is not a new exploit. Old news:<p><a href="https://news.ycombinator.com/item?id=4353155" rel="nofollow">https://news.ycombinator.com/item?id=4353155</a><p><a href="https://news.ycombinator.com/item?id=5425153" rel="nofollow">https://news.ycombinator.com/item?id=5425153</a><p>As reported, it's been fixed:<p><a href="http://www.zdnet.com/apple-fixes-dangerous-password-reset-flaw-7000013073/" rel="nofollow">http://www.zdnet.com/apple-fixes-dangerous-password-reset-fl...</a>
I'd be happy to sign up for 2-factor auth, but it doesn't work with Google Voice.<p>The whole reason I use Google Voice is to keep my phone number independent of the device/carrier I happen to be using. It's my permanent address in telephony. Whatever number is on my SIM card is just temporary. If I used 2FA, I'd run the very real risk of locking myself out of my account the next time I change carriers.<p>Knowing how Apple expects its users to commit to its product portfolio all-or-nothing, I don't expect an Android app, but it would be nice if Facebook and Apple would at least include Google Voice support in their SMS verification tools. (As for 2-factor authentication, they really should support the Authenticator project like everyone else.)
This kind of reminds me of Weev's AT&T hack. Changing some values to obtain information that should else-wise not be easily obtainable. A pretty big mistake to make on Apple's part here, but it's good they took the page down because of the issues and above all, no edgy hacker stealing information and leaking it was required to publicise the security issue, who would have thought?