Newly discovered security hole lets attacker reset your Apple ID with only your birthday and email address
Arriving right on the coat tails of Apple’s two-step verification implementation, a new security flaw has been found in Apple’s password reset process for Apple IDs. The vulnerability allows an attacker to reset your Apple ID’s password with only the knowledge of your Apple ID and date of birth, completely bypassing the need to answer your security questions. The Verge first reported the vulnerability after being tipped off to the hack.
iMore was independently able to reproduce the hack and confirm its validity. It is accomplished by using a specially crafted URL that is able to reset your password once you have validated your date of birth, but before the security questions have actually been answered.
The good news is that users who have enabled two-step verification with Apple are not vulnerable. The bad news is some users have been getting a three-day waiting period to enable two-step verification, in order to minimize the risk of a malicious party enabling two-factor verification on a compromised account. The worse news is that two-step verification is not yet available in many countries. According to the Apple FAQ:
If you are unable to enable two-step verification at this time, your next best bet is to change your date of birth on record with Apple in order thwart any attempts on your account by somebody who knows your email and birthdate. Since this is a server-side vulnerability, Apple will hopefully be able to deploy a fix shortly, before information of how to exploit the flaw spreads.
Update: It looks like Apple has taken the iForgot page down.
Update 2: After Apple updated the password reset page to say it was down for maintenance, presumably to prevent any further attempts to use this exploit, it was discovered by iMore that the password reset hack could still be performed by providing a specific URL to bypass the maintenance page. Apple was notified and has since made the entire site completely inaccessible.
Update 3: Apple has fixed the security hole and iForgot is back up.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Update 4: A detailed look at how the exploit worked can be found here.