A major security hole has been discovered in Apple’s password reset feature, which lets anyone reset your Apple ID password with with email address and date of birth. The news comes less than 24 hours after Apple rolled out two-factor authentication to iCloud users. The exploit only affects users who haven’t enabled two-step verification.
The Verge reports:
[T]oday a new exploit has been discovered that affects all customers who haven’t yet enabled [two-step verification]. It allows anyone with your email address and date of birth to reset your password — using Apple’s own tools. We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page.
We recommend that you immediately head over to Apple’s account page, and enable two-step verification, and as an additional security measure change your birthdate to something that’s not easily predictable. Sadly, two-step verification is available to Apple users only in select few countries (U.S., U.K., Ireland, Australia or New Zealand), which means that others can’t really do much without Apple’s intervention. A number of Apple users who did enable two-step verification but were told to wait for three days by Apple also remain at risk.
We expect Apple to temporarily disable password resets, as it did earlier, until it can patch this major security hole.
- Apple’s phone based password reset system was exploited to hack Wired writer Mat Honan’s iCloud account.
- Apple’s own computers were hacked last month.
- People keep figuring out a way to bypass the passcode lock on iPhones and iPads.
Update: As expected, Apple’s put the password reset webpage into maintenance mode.
