Newly discovered security hole lets attacker reset your Apple ID with only your birthday and email address

Newly discovered security hole lets attacker reset your Apple ID with only your birthday and email address

Arriving right on the coat tails of Apple’s two-step verification implementation, a new security flaw has been found in Apple’s password reset process for Apple IDs. The vulnerability allows an attacker to reset your Apple ID’s password with only the knowledge of your Apple ID and date of birth, completely bypassing the need to answer your security questions. The Verge first reported the vulnerability after being tipped off to the hack.

iMore was independently able to reproduce the hack and confirm its validity. It is accomplished by using a specially crafted URL that is able to reset your password once you have validated your date of birth, but before the security questions have actually been answered.

The good news is that users who have enabled two-step verification with Apple are not vulnerable. The bad news is some users have been getting a three-day waiting period to enable two-step verification, in order to minimize the risk of a malicious party enabling two-factor verification on a compromised account. The worse news is that two-step verification is not yet available in many countries. According to the Apple FAQ:

Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand. Additional countries will be added over time. When your country is added, two-step verification will automatically appear in the Password and Security section of Manage My Apple ID when you sign in to My Apple ID.

If you are unable to enable two-step verification at this time, your next best bet is to change your date of birth on record with Apple in order thwart any attempts on your account by somebody who knows your email and birthdate. Since this is a server-side vulnerability, Apple will hopefully be able to deploy a fix shortly, before information of how to exploit the flaw spreads.

Update: It looks like Apple has taken the iForgot page down.

Currently Unavailable

Sorry, the site is currently unavailable due to maintenance. Please check back later.

Update 2: After Apple updated the password reset page to say it was down for maintenance, presumably to prevent any further attempts to use this exploit, it was discovered by iMore that the password reset hack could still be performed by providing a specific URL to bypass the maintenance page. Apple was notified and has since made the entire site completely inaccessible.

Update 3: Apple has fixed the security hole and iForgot is back up.

Update 4: A detailed look at how the exploit worked can be found here.

Have something to say about this story? Share your comments below! Need help with something else? Submit your question!

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at POSSIBLE Mobile. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

4
loading...
0
loading...
97
loading...
0
loading...

← Previously

Write for Dropbox lets you create notes on your iPhone quickly and beautifully

Next up →

Rush Limbaugh loves iMore!

Reader comments

Newly discovered security hole lets attacker reset your Apple ID with only your birthday and email address

19 Comments

I don't follow how they are slow to react to bugs. They took the site down almost immediately after the bug was publicized.

@stephen007 Well not immediately but you are right in this case the response was (reasonably) fast enough. Doesn't take away that such a large security hole shouldn't exist in the first place.

Wow, it seems every ten stories is a new security flaw story, and this is a big one, tomorrow I will set up two step verification if it lets me. All it takes is a hacker to bypass the down page.

The real scary part is that a very small percentage of Apple product users follow the industry on sites like iMore, and are never going to take the steps necessary to fix these issues.

Oh Apple. Please hire some experts in QA and security. The guy from Adobe (a vendor that fails in both) is not helping either

Same here in Germany. I do not understand why they could not roll out this feature around the globe.

Not saying this is not a serious security hole (not being an expert, it certainly seems to be) but the headline seems a bit exaggerated.

"It is accomplished by using a specially crafted URL..." doesn't exactly jibe with "allows an attacker to reset your Apple ID’s password with only the knowledge of your Apple ID and date of birth"

Am I missing something or is the headline exaggerating?

It's okay now. I've been told by Apple that the security flaw is fixed so it isn't necessary to do the double verification; however, you should still do it. It won't hurt you to be more secure.

That would be annoying if someone has just reset my password. Well, for some of my other accounts in other stuffs before I got those reset password alerts. It is quite frustrating to receive those emails.

Apple is once again on top of their game. This was fixed as soon as it was made public. Great job Apple...unlike any other company on the planet. Security and Privacy are becoming more and more important. Dang Hackers!!!