Exploit (now offline) allowed bogus reset of Apple ID passwords (updated)
Apple's new two-step verification process has already been put to the test, thanks to a (now apparently offline) exploit that allows anyone with your email address and birthday to reset your Apple ID. The Verge confirmed the exploit after the site was made aware of a tutorial posted on a Chinese-language hacking site. The hack involves pasting a modified URL while answering the question about the account's date of birth info.
The Verge did further exploration on the hack and found that accounts that were told they needed to wait three days to enable the two-step verification are also vulnerable to the exploit. The only way to change it for those in the waiting period is for people to change their birthdays in their Apple profile.
Apple's password reset tool is in maintenance status right now, which means there's no way to use the exploit. Chances are it will remain offline until Apple gets this hole patched.
Apple maintains its Product Security page, including a contact email, to allow users, researchers or media organizations to notify the company of emergent security issues and concerns.
Update: Apple has confirmed the exploit to The Verge and says it is working on a fix.
Subscribe to Newsletter
Software Updatesmore updates
- Spotify update adds equalizer, refreshed Artist page and more
- Fantastical 2.1 for iOS adds new snooze, search and notification features
- ExpanDrive 4, more services and faster sync
- Apple adds iTunes Extras to Apple TV
- Spotify updates with new iPhone controls in time for summer BBQs
- iTunes U update will bring course creation and student discussion to iPad app