Earlier today, a password reset vulnerability was discovered that allows for extremely easy access to anyone's Apple ID or iCloud account - it's so easy, in fact, that all you need to hijack someone's account is a person's email address and their date of birth. Through Apple's own iForgot password reset page, a user can skip the important security questions by using a modified URL while answering the date of birth step in the reset process.
The vulnerability only affected those who hadn't already enabled two-step verification on their Apple account, however as the service is only available to a small amount of people worldwide, and you need to wait up to three days for the extra security to kick in, the vast majority of users were affected.
After The Verge confirmed the vulnerability existed in the wild and informed Apple, Apple has confirmed that the exploit exists and are "working on a fix" as they take "customer privacy very seriously". As a precautionary method, they have temporarily disabled the iForgot password reset tool, however there is currently no timeframe for the service being restored.
Update: The iForgot password reset service has now been restored
Source and image: The Verge (1) | (2)
6 Comments - Add comment