Well, this is strange timing. Just a day after Apple introduced two-step verification for Apple IDs and iCloud accounts, a new vulnerability has been discovered that affects anyone not already signed up for the increased security. According to The Verge, the exploit allows anyone to reset the password of an Apple ID with just the account's email address and date of birth. With that information, a malicious individual needs to simply paste a certain URL into his or her address bar while being presented with the date of birth question in Apple's iForgot password reset process.
This security hole sounds pretty serious, not only because it could allow someone to reset a user's Apple ID password, but also because of how easy it is to perform with the correct information. The good news is that Apple's new two-step verification can protect a user's account from this exploit. Two-step verification can be enabled right here. Unfortunately, The Verge notes that some users have been told that they need to wait three days before enabling two-step verification on their accounts, so for now they'll need to try and change the date of birth on their account to something else to try and avoid having their password reset. Apple has yet to comment on this vulnerability, but we'll let you know if it issues a statement. How many of you have already enabled Apple's two-step verification?
UPDATE: Apple still hasn't commented on the vulnerability, but it has taken its password reset tool offline.
UPDATE 2: Apple has confirmed the existence of the security hole in a statement given to The Verge, adding that it is currently working on a fix. The full statement:
"Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix."
UPDATE 3: The iForgot password reset tool is now back online, and iMore notes that the vulnerability has now been patched. Still, Apple ID users that haven't yet signed up for two-step verification may want to do so to add an extra layer of security to their account.
Via The Verge (1), (2), iMore
