Apple ID (reset password)

The Verge claims to have discovered a major security hole which allows attackers to reset your Apple ID password using only your email address and date of birth. Yes, you read that right. The scary part is that it doesn’t take a genius to harvest these two pieces of information from Google and your social media accounts or by analyzing your online identity per se.

Exploiting the vulnerability basically lets attackers take over your Apple ID account, and with it all your purchases, iTunes credits, email messages, contacts, your Photo Stream and pretty much any personal data residing up in the Apple cloud.

Apple’s iForgot page went down “due to maintenance” shortly after the incident, presumably to prevent exploits until Apple plugs the security hole. Conveniently enough, the company just recently rolled out a new (and way overdue) two-step verification process to protect your Apple ID using not only your password, but also by tapping your trusted devices and a recovery key.

With this exploit making the headlines, you should enable two-step verification now (Cody has a timely tutorial on that)…

The Verge shares details:

The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.

Of course, neither The Verge nor iDB will be linking to the web site in question over security concerns.

To prevent someone from taking over your Apple ID, and possibly steal your identity, you should enable two-step verification for your account right now by following Cody’s simple 6-step tutorial.

With two-step verification enabled, no one can exploit the password reset hole to hijack your account because they will also need a code Apple sends to your trusted device(s) and/or a recovery key.

Important: if you have changed your Apple ID password or security question(s) recently, you’ll have to wait three days before enabling two-step verification because Apple wants to be sure that someone hasn’t already hijacked your account.

Apple ID (two-step verification, three days wait prompt)

Apple also has a nice FAQ detailing all the questions you may have concerning two-step verification, please take your time to read it thoroughly.

Here are a few things worth keeping in mind.

Before adding any trusted devices, you should first register any iPhone, iPad or iPod touch you own by signing in to the Apple ExpressLane service. Click the Your Products section on the left and then the Manage Your Products link at the page bottom.

Apple ExpressLane (screenshot 001)

You will then verify each of your trusted devices during the two-factor authentication process by typing in a four-digit code sent to each device as a standard notification. To be able to receive these codes, each of your trusted devices is required to have the Find My iPhone service enabled in Settings > iCloud.

iPhone Find My iPhone Lost Mode 15

Apple can also send you the code as a text message to any cell phone number in the United States, United Kingdom, Australia, Ireland, and New Zealand (additional countries will be added over time).

Upon successful completion of the process, your Apple ID security will be bolstered using codes sent to your trusted devices and a recovery key (write it down and put it in a safe place), in addition to your existing account password.

Apple won’t need your recovery key or codes each time you download an app: two-step verification is only used to log in to your Apple ID account on the web, make changes to it, change or reset your password or authorize a new device for iTunes purchases.

Apple underscores it’s entirely your responsibility to remember your Apple ID password, keep your trusted devices physically secure (don’t forget to unregister those you sell using ExpressLane) and store your recovery key in a safe place.

After enabling two-step verification, know that Apple Support will no longer be able to reset your password, update or recover these three things on your behalf.

Most importantly, losing access to two of these three items at the same time means you could be locked out of your Apple ID account permanently and there’s nothing Apple will be able to do about it.

You’ve been warned.

  • Well my date of birth in iTunes is 1923, nothing to worry about! 😀

    • Way to go letting in potential attackers on your iTunes birth date 🙂

      • iospixel

        True, but one would need to know his login. The sad thing about this is that if you do loose your account, chances are you have some sort of relationship with them.

  • King

    I never use my real details for anything on the web

    • It doesn’t matter. There are people out there who know your in person or through someone. You’d be surprised how easy it is to figure out anyone’s date of birth. Do yourself a favor and protect your Apple ID. Better safe than sorry…

  • ghulamsameer

    So much verification just to download apps…

    • As I stated in the article, downloading apps from trusted devices will require only your Apple ID credentials so no changes here. Two-step verification is only used when first try to download an app from a new device that hasn’t been registered as ‘trusted’ or to make changes to your Apple ID on the web. And of course, two-step verification is optional and you are not required to use it…

      • ghulamsameer

        Oh, that makes more sense. Thank you for clearing that up.

  • wtf, I have to wait 3 days for this to be turned on?!

    • that’s for your own security..

      From Apple’s FAQ:

      As a basic security measure, Apple does not allow two-step verification setup to proceed if any significant changes have recently been made to your account information. Significant changes can include a password reset or new security questions. This waiting period helps Apple ensure that you are the only person accessing or modifying your account. While you are in this waiting period, you can continue using your account as usual with all Apple services and stores.

      Apple will send an email to all the addresses you have on file notifying you of the waiting period and encouraging you to contact Apple Support if you think that someone else has unauthorized access to your account. You will be able to return to set up two-step verification after the date listed on your Apple ID account page and in the email that you receive.

  • wtf, so I have to wait 3 days for this to activate??

  • why are my posts deleting?

  • help

  • seyss

    another apple failure
    siri, maps, appleid, itunes, itunes match, no obex, no support for most codecs….

    • Guest

      It’s definitely an failure, but it doesn’t belong in your list, you fucking retard…

    • “no support for most codecs”. you should get out more often…

      • seyss

        apple supported codecs: h264/mpeg2, aac/mp3

        android supported codecs: wmv, avi, xvid, h264, hevc, mpeg2, aac/mp3, wma

        is it so hard to understand or you need apple to tell you this?

      • sadaN

        what the fuck are you doing here then?
        go read an adroid for fuck’s sake

      • Falk M.

        Ignoring your horrible grammar, how about you realize Apple might still make the device that satisfies most of one’s needsamongst all the others, but still isn’t perfect?

        To say that you only buy an Apple device or wny device for that matter if it covers 100% of your needs would leave you with a condtantly empty shopping cart.

      • sadaN

        If I were to consider your TYPING MISTAKES as being grammar mistakes as you did to me, there would be a couple to point out in your statement.
        I hope your not a native English speaker like me, so you have an excuse, otherwise, shame on you…

      • seyss

        I prefer apple over android, but I’m not blind.
        and since you made this personal, stop being a blind fanboy you camel jockey

      • sadaN

        He was the one who brought my English skills into question!
        How is it me who made it personal?

      • smtp25

        Oplayer and others on iOS can all play a ton of codecs unconverted

      • Falk M.

        Whilst true, that stuff should come bundled with the OS so you could actually make the stuff work in iTunes and standard iOS apps and sync with iTunes.

    • Liam Mulcahy

      Most of those aren’t fails!!!

  • Apple looks like there about to patch this, iforgot portal has just gone down.

  • I think it’s best for our security to, at once, remove our selves from the dangerous Apple ecosystem.

    • seyss

      and you are hot