Massive security hole allows attackers to reset your Apple ID by simply knowing your email address and date of birth

Apple Fail

A new Apple exploit was discovered today that can allow anyone to change your Apple ID with only your email address and date of birth using Apple’s own tool. For those who are unaware of what an Apple ID is, it is the user name for everything Apple customers do with Apple: Shop the iTunes Store, enable iCloud on all devices, buy from the Apple Online Store, make a reservation at an Apple Retail Store, access the Apple Support website, and more.

The vulnerability works by pasting a specially crafted URL that is able to reset your password once you have validated your date of birth, before any security questions have actually been answered. However, there is good news and bad news. The good news is that Apple users who have enabled 2-Step Verification, which was only released yesterday (interesting timing) are not vulnerable to this exploit. The bad news though, is that people who haven’t yet enabled the 2-Step Verification are being made to wait up to 3 days to enable the service that was only released yesterday.

three days 2-step apple

The other bad news is that Apple’s 2-Step Verification can only currently be used in the US, UK, Australia, Ireland, and New Zealand at the moment leaving everyone else highly vulnerable to the exploit.

Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand. Additional countries will be added over time. When your country is added, two-step verification will automatically appear in the Password and Security section of Manage My Apple ID when you sign in to My Apple ID.

People wishing to use the iForgot service from Apple are also out of luck at the moment due to the service being off-line, probably to try and stop people from using this latest iOS exploit. If you wish to learn more about Apple’s 2-Step Verification that protects your Apple ID, then please read this article.

The Verge were the first to report on this story, with iMore confirming the exploit after reproducing the security flaw.

%d bloggers like this: