Apple fixes iForgot security hole that compromised Apple ID passwords

By , Mar 23, 2013

Apple ID (reset password, teaser)

That was fast. Earlier today, Christian told you that a major security hole had been discovered involving Apple’s iForgot page that allowed someone to reset your Apple ID password with just your birthdate and email address.

Unsurprisingly, Apple immediately took the password page down after getting word of the vulnerability. And after just a few hours of ‘maintenance,’ the page is back up and—we’re happy to report—once again safe to use…

The Verge was the first to report the security hole:

“The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.”

The discovery of the exploit came just one day after Apple introduced a two-step verification process that, once enabled, requires you to verify your identity from one of your devices before making account changes or purchases.

Of course, we recommended enabling the process to help protect your Apple ID. But doing so requires a complex password. And folks who don’t have one must set one up, with a 3-day waiting period, leaving them vulnerable.

But the good news is, Apple has fixed the exploit, and the iForgot page is safe to use again. We still, however, recommend setting up two-step verification for the added security. If you need help, we have a step-by-step tutorial.

  • Share:
  • Follow:
  • http://twitter.com/joao_fragoso16 João Fragoso

    Finally

    • http://twitter.com/MCaudebec Maxim∑

      what do you mean finally? they fixed the exploit within 24hr…

  • http://twitter.com/Jack_maredit Jackson Grong

    Who know how much security holes like that the page have, maybe it’s just not public.

    • http://www.facebook.com/tafk1 Taf Khan

      You can never guarantee an application does’nt have its flaws.

      As a software tester I can appreciate this, although ensuring the quality is fit for release, the release schedule, testing effort and costing all impact on this. Testing has to stop at some point, the good thing here is the speed at which the defect was fixed.

      What you say holds some truth, but this is true of any application.

    • iDon’tWantToShareMyDetails

      I wouldn’t classify this as a security hole, that would imply that personal information is leaked to third parties and in this case you actually need to know your victim pretty well (you need the email, birth date) or use facebook and you still don’t get full access to the account – you just reset the password. Worst case scenario – someone will reset your password and you’ll just have to reset it back through your email.

      Consider this – the iPhone as a security system is really good and some moronic Lockscreen bypass do not invalidate the fact that iOS is one of the most secure mobile systems we have today (thanks to jailbreakers of course).

      • mudassir khan

        6.1.3 jailbreak as soon posible because i’m working of this part…

  • http://twitter.com/myorangeisstuck wahaha

    Is the page running on ios 6.1.3? Because it has as many bugs as the lock screen.

    • RarestName

      You mean one bug.

      • EpicFacepalm

        Lockscreen still has bugs, I found 2 glitches but forgot how to do it. First one was a GUI bug (minor), the second one allows you to open multitask switcher (medium threat), without entering the passcode.

      • RarestName

        I agree. I even had those issues before.

  • aHoks

    In the morning my iPad and my iPhone asked me for my apple ID password, i entered it but it said it is wrong… And after some tries apple locked my acc. In iforgot website they send me an email but the email isnt there and i cant acces my .me email too.. Please help me