Performing authentication on a massive userbase with whom there is zero offline interaction is hard, especially when it comes down to the degraded authentication required by password reset processes. Considering that web interfaces appear to be the dominant channel by which cloud services are managed (we touch on the implications here), a flawed password reset process can mean that attackers gain access to more that simply your mail.
In August last year, TechCrunch published a way to enumerate usernames on MobileMe. We abused this further to target a specific user on MobileMe in order to reset his password. As the video shows, the process only requires a birthdate (which is generally obtainable either through FaceBook, Wikipedia, Amazon wishlists or the like) and a secret question. Again, with enough digging the answer to the secret question is often guessable. In the video above we show a toy example of the password reset working against a SensePoster.
Apple has since patched this bug.
Finally, we demonstrate the password reset attack against Woz's MobileMe account. We stopped before actually resetting his password, but in his own words he stores mail, calendaring info and other information that is sensitive to him on MobileMe, and the ability to XSS the page would mean that the continued compromise of the account was possible.