Just after Apple unveiled a two-factor authentication in a move to better protect Apple ID and iCloud accounts, the company had to do an about face and fix an issue with its own password reset tool.
This new exploit allows anyone to gain access to private accounts by pasting a modified URL and them adding a victim’s email address and birth date on the iForgot password reset page. Soon after learning of the exploit, the iForgot page was down for “maintenance.”
Even those users that enabled Apple’s new two-step verification process remain vulnerable since there is a three-day waiting period to “ensure that no one other than the owner of this Apple ID can set up two-step verification.” An email will go out to help establish validity.
Apple’s new system, available only in the United States, United Kingdom, Australia and New Zealand, uses a 14-digit recovery key that can activate to access an otherwise locked account and without needing a personal security question.
Apple has been suffering from some security issues of late as earlier this month a video surfaced detailing how someone could bypass the lock screen of a password-protected iPhone to access the device’s phone app, contacts, voicemail and photos.
Regarding this more recent security hole, Apple issued a statement saying, “Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”
In addition to starting the process to enable two-step verification, users can mitigate risks of someone hijacking an account by changing their birth date. To do so, open the Privacy & Security button at the bottom of the Apple Account Settings page.