Major security hole allows Apple passwords to be reset
According to The Verge, a major security hole in Apple’s ID login system allows anybody with your email address and date of birth to reset your password and gain access to your account. Apparently the exploit, which has been posted online, involves pasting a modified URL into the iForgot page of Apple’s website.
We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
There’s a simple way to protect yourself against this vulnerability, and that’s to enable a new two-step authentication process introduced by Apple yesterday. Unfortunately, however, some customers who have attempted to set up the feature have been told that they need to wait three days until it becomes active on their accounts.
If you haven’t already enabled two-step authentication on your account you can start the process today by following the directions in this Apple Support document.
Update: It looks like Apple is busy working on a fix – the password reset tool is currently down for maintenance.
Update 2: As noted by The Verge, Apple’s password reset tool is live again, and the exploit has been fixed.