Major Security Hole Allows Apple ID Password Reset With Email Address And Date of Birth [Updated]

The Verge reports:

[T]oday a new exploit has been discovered that affects all customers who haven’t yet enabled [two-step verification]. It allows anyone with your email address and date of birth to reset your password — using Apple’s own tools. We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page.

We recommend that you immediately head over to Apple’s account page, and enable two-step verification, and as an additional security measure change your birthdate to something that’s not easily predictable. Sadly, two-step verification is available to Apple users only in select few countries (U.S., U.K., Ireland, Australia or New Zealand), which means that others can’t really do much without Apple’s intervention. A number of Apple users who did enable two-step verification but were told to wait for three days by Apple also remain at risk.

• Apple’s phone based password reset system was exploited to hack Wired writer Mat Honan’s iCloud account.
• Apple’s own computers were hacked last month.
• People keep figuring out a way to bypass the passcode lock on iPhones and iPads.

Update: As expected, Apple’s put the password reset webpage into maintenance mode.