Exploit (now offline) allowed bogus reset of Apple ID passwords (updated)
Apple's new two-step verification process has already been put to the test, thanks to a (now apparently offline) exploit that allows anyone with your email address and birthday to reset your Apple ID. The Verge confirmed the exploit after the site was made aware of a tutorial posted on a Chinese-language hacking site. The hack involves pasting a modified URL while answering the question about the account's date of birth info.
The Verge did further exploration on the hack and found that accounts that were told they needed to wait three days to enable the two-step verification are also vulnerable to the exploit. The only way to change it for those in the waiting period is for people to change their birthdays in their Apple profile.
Apple's password reset tool is in maintenance status right now, which means there's no way to use the exploit. Chances are it will remain offline until Apple gets this hole patched.
Apple maintains its Product Security page, including a contact email, to allow users, researchers or media organizations to notify the company of emergent security issues and concerns.
Update: Apple has confirmed the exploit to The Verge and says it is working on a fix.
Subscribe to Newsletter
Software Updatesmore updates
- Readdle rolls out PDF Expert 5: iCloud support, shared folder with Documents by Readdle
- FlightTrack 5: new look and features just in time for holiday travel
- HBO Go for iOS update adds Google Chromecast support
- Haiku Deck updates iPad app, launches web-based cloud version
- Weather Underground iPhone app gets crowdsourced weather, iOS 7 style
- Apple updates iMovie, adds support for older Macs