The Verge claims to have discovered a major security hole which allows attackers to reset your Apple ID password using only your email address and date of birth. Yes, you read that right. The scary part is that it doesn’t take a genius to harvest these two pieces of information from Google and your social media accounts or by analyzing your online identity per se.
Exploiting the vulnerability basically lets attackers take over your Apple ID account, and with it all your purchases, iTunes credits, email messages, contacts, your Photo Stream and pretty much any personal data residing up in the Apple cloud.
Apple’s iForgot page went down “due to maintenance” shortly after the incident, presumably to prevent exploits until Apple plugs the security hole. Conveniently enough, the company just recently rolled out a new (and way overdue) two-step verification process to protect your Apple ID using not only your password, but also by tapping your trusted devices and a recovery key.
With this exploit making the headlines, you should enable two-step verification now (Cody has a timely tutorial on that)…
The Verge shares details:
The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
Of course, neither The Verge nor iDB will be linking to the web site in question over security concerns.
To prevent someone from taking over your Apple ID, and possibly steal your identity, you should enable two-step verification for your account right now by following Cody’s simple 6-step tutorial.
With two-step verification enabled, no one can exploit the password reset hole to hijack your account because they will also need a code Apple sends to your trusted device(s) and/or a recovery key.
To enable two-step verification, go here.
Important: if you have changed your Apple ID password or security question(s) recently, you’ll have to wait three days before enabling two-step verification because Apple wants to be sure that someone hasn’t already hijacked your account.
Apple also has a nice FAQ detailing all the questions you may have concerning two-step verification, please take your time to read it thoroughly.
Here are a few things worth keeping in mind.
Before adding any trusted devices, you should first register any iPhone, iPad or iPod touch you own by signing in to the Apple ExpressLane service. Click the Your Products section on the left and then the Manage Your Products link at the page bottom.
You will then verify each of your trusted devices during the two-factor authentication process by typing in a four-digit code sent to each device as a standard notification. To be able to receive these codes, each of your trusted devices is required to have the Find My iPhone service enabled in Settings > iCloud.
Apple can also send you the code as a text message to any cell phone number in the United States, United Kingdom, Australia, Ireland, and New Zealand (additional countries will be added over time).
Upon successful completion of the process, your Apple ID security will be bolstered using codes sent to your trusted devices and a recovery key (write it down and put it in a safe place), in addition to your existing account password.
Apple won’t need your recovery key or codes each time you download an app: two-step verification is only used to log in to your Apple ID account on the web, make changes to it, change or reset your password or authorize a new device for iTunes purchases.
Apple underscores it’s entirely your responsibility to remember your Apple ID password, keep your trusted devices physically secure (don’t forget to unregister those you sell using ExpressLane) and store your recovery key in a safe place.
After enabling two-step verification, know that Apple Support will no longer be able to reset your password, update or recover these three things on your behalf.
Most importantly, losing access to two of these three items at the same time means you could be locked out of your Apple ID account permanently and there’s nothing Apple will be able to do about it.
You’ve been warned.