Just a day after introducing two-step verification for Apple’s iCloud service, a major security hole has been discovered with the Apple ID login system. Apparently a method has been found that allows anyone to reset your Apple ID password as long as they know your email address and your date of birth, two pieces of information that aren’t that hard to find nowadays.
However, the exploit only works if you don’t have the new two-step verification enabled, so those who already use the new security measure are in the safe zone. According to The Verge, the exploit consists of pasting in a modified URL and answering the date of birth security question on Apple’s iForgot web page.
The step-by-step tutorial hasn’t been made available yet, but we’re sure that it’ll only be a matter of time before more and more people get a hold of it. Obviously, this is bad news, as anyone with access to the tutorial can reset your password themselves, allowing them full access to your account and information, and looking up your email address and date of birth wouldn’t be too difficult, as a lot of people usually post this type of info on their Facebook profile.
UPDATE: Apple has taken down its iForgot page as it works on a fix for the exploit.
Of course, the simplest solution right now would be to enable two-step verification, but Apple is slowly rolling out the feature, and some users are reporting that they won’t get it for another three days, leaving them wide open to the vulnerability. In the meantime, the only way to truly protect yourself is to change your date of birth to a made-up day until Apple fixes the exploit or until you have access to the two-step verification.
[via The Verge]