New Loophole Lets Attacker Reset An Apple ID With Only Your Birthday And Email Address

A worrying new security hole allows for an Apple ID to be hacked, simply by knowing the user’s email address and date of birth. The Verge first reported the vulnerability after being tipped off to the hack.

The Verge reports:

[T]oday a new exploit has been discovered that affects all customers who haven’t yet enabled [two-step verification]. It allows anyone with your email address and date of birth to reset your password — using Apple’s own tools. We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page.

The vulnerability affects all customers yet to upgrade to the two-step verification process, leaving those users’ accounts wide open to anyone who knows those not-exactly-hard-to-track down pieces of basic data. 

The bad news is that two-step verification is not yet available in many countries. According to the Apple FAQ:

Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand. Additional countries will be added over time. When your country is added, two-step verification will automatically appear in the Password and Security section of Manage My Apple ID when you sign in to My Apple ID.

After the discovery, Apple subsequently took down the iForgot password reset page “for maintenance,” and updated the iCloud System Status webpage to inform users of the issue. 

In a statement to The Verge the company said, “Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”

At the time of posting, Apple has taken down the iForgot page to avoid further hacks.

Update : Several online sources report that the loophole has been fixed.

[Via The Verge]