New Apple ID Exploit Allows Others To Reset Your Password; Here's How To Protect Yourself

Apple may have finally added two-factor authentication, but a new exploit is putting Apple IDs at risk in a way that two-factor authentication can't necessarily fix. Here's what you need to know.

The Verge is reporting that a new exploit, involving a small URL trick on Apple's iForgot page, will let anyone reset your password using just your email address and your date of birth. Since this information is so easy to come by, that means there are a lot of people that could change your Apple ID password. Two-step authentication would fix the problem, but as of right now, a lot of people aren't able to sign up for the new security feature. Ironically, Apple is citing "security reasons" for making people wait a certain number of days before they can sign up.

So how can you fix the problem if you haven't already enabled two-factor authentication? Change your date of birth to a fake date that only you can remember. Hopefully, Apple will fix the problem soon, and you'll be able to change it back. But for now, head to your account settings page on Apple's web site and change your birthday under the "Password and Security" menu. Hit the link to read more.

Major security hole allows Apple passwords to be reset with only email address, date of birth [The Verge]


Comments

    Poor old Apple. After couple decades of having a <5% share of the global PC market, thus being so far from any hacker radar that... [insert quip here]. Now they have a market where they are the 95% and their flaws are showing again and again just like any other BIG company. Hardware is their forte. Systems and security... not so much.

    I find it odd that they hold onto many many tens of billions of dollars in cash, yet when things like this come up they often cite "lack of engineering resources" as an excuse to quickly fixing things. Seems to me lack of engineering talent would be more apt. They happily spend on lavish new buildings. How about spending on testing products before shipping to paying customers.

    Case in point. I just plugged in my iPad to my iMac to charge it up and sync. It tells me there's a minor point-update to the iOS. Click here to download.... 1.2GB !!! of data. Apple... why is it that every other tech vendor can issue small delta-updates but you force customer into downloading the WHOLE operating system just to patch a few files.

    I will activate TFA for my iTunes store account because... well why give "the bad guys" even a small crack into my personal online security by just leaving it open like it (apparently) is thanks to Apples poor testing and programming.

    Years ago I removed any credit-card details from my iTunes and Apple Store accounts, for this reason. And that iTunes / Apple Store is such a HUGE target for nefarious hackers.

      I just plugged in my iPad to my iMac to charge it up and sync. It tells me there's a minor point-update to the iOS. Click here to download.... 1.2GB !!! of data. Apple... why is it that every other tech vendor can issue small delta-updates but you force customer into downloading the WHOLE operating system just to patch a few files. Apple have done delta updates for iOS since version 5, if I remember correctly, but only if you perform the software update from the Settings app. I guess the reason the 1.2GB of data was downloaded onto your iMac is that it downloads the full .ipsw file, and replaces whatever older .ipsw file you have, just in case you need to restore it (so you don't need to download it again until a new version comes out).
      I do agree that these security issues are a bit concerning though.

      Last edited 23/03/13 10:40 am

    Is anyone having the issue of not being able to set up the SMS security notification? Whenever I input my phone number the verification text never comes through. Does anyone know how to fix this?

      If your phone number is 0444 555 6789 make sure you enter it as +61 444 555 6789

    Lol my date of birth is ALWAYS a fake date unless it's for a govt/official thing. I just don't think they need it and don't trust them with the info!

Join the discussion!

Trending Stories Right Now