Apple’s introduction of two-step authentication for Apple IDs was a great step forward in helping users protect their account security – but according to The Verge, a new security bug has been discovered which allows anyone to reset your Apple ID password using only your email address and password. Notably, the issue only affects customers who have NOT enabled two-step verification.
Apple yesterday rolled out two-step verification, a security measure that promises to further shield Apple ID and iCloud accounts from being hijacked. Unfortunately, today a new exploit has been discovered that affects all customers who haven’t yet enabled the new feature. It allows anyone with your email address and date of birth to reset your password — using Apple’s own tools. We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand. Out of security concerns, we will not be linking to the website in question.
From the sound of this report, it seems that users would be best advised to enable two-step verification as soon as possible to avoid having their accounts hacked. Unfortunately, it may not be that easy for some users – the report also notes that some users aren’t currently able to enable two-step verification due to a strange 3-day waiting period on the feature within their accounts. For these individuals, it’s recommended that they change their birth date to something different until the issue is resolved.
Apple has yet to comment on the issue.
Update: MacWorld notes that Apple has temporarily disabled their password reset tool for all accounts while they work on a fix for this issue.
Update 2: Apple has confirmed the security hole to Macworld, and notes that they are working on a fix.
Update 3: iMore has verified that Apple has now patched the security hole, and that password resets are now back online.