Apple rolls out fix for password reset security hole, iForgot site back up

By Nick Arnott
last updated

Apple’s iForgot (opens in new tab) password reset page is now back online, and iMore has verified that the security hole, discovered earlier today in Apple’s password reset page, has been closed.

Previously, after providing a victim’s Apple ID and date of birth, an attacker could send a URL to Apple that would change the password for that account, without needing to answer any security questions. In response, Apple blocked access to the password reset page, and a short while later took the entire site down in light of another loophole that still allowed the attack to be performed.

This vulnerability came at an interesting time, just a day after Apple began to roll out its two-step verification system. Users who had already enrolled in the new system seem to have been immune from the password reset vulnerability.

Unfortunately some users were held in a three-day waiting period for enabling two-step verification, while others live in countries where two-step verification is not currently available.

Today’s events serve as an important example of why two-step verification is a good idea. People interested in getting two-step verification set up can find out how with iMore’s tutorial.

Update: Details on how the exploit worked can be found here.

Nick Arnott
Nick Arnott
16 Comments
  • Glad they fixed it quickly. I turned on 2-step though just to be on the safe side.
  • The first time that apple acted fast like google.
  • I actually think they are acting very quickly lately. The Java exploits are blocked nearly as soon as they are identified, and await Oracle updating. iOS 6.1?
    Released January 28, 2013 (54 days ago) Since that time, 3 point release, averaging one every 18 days.
    6.1.1 - 2/6/13 (9 days, 4S only/3G issue)
    6.1.2 - 2/19/13 (13 days, Exchange bug)
    6.1.3 - 3/19/13 (31 days, Passcode bypass) I anticipate 6.1.4 within a week to patch the remove sim passcode bypass) This is pretty quick for client systems. The fix today was backend, with less variables.
  • Google acts fast? Then why does Eric Schmidt use a BlackBerry?
    http://www.guardian.co.uk/technology/2013/mar/21/eric-schmidt-blackberry...
  • in the news these days we are hearing stories of security holes. samsung, apple and blackberry. just another day
  • Good to see Apple is on their A game when it comes to exploits.
  • This is also the good thing about Apple. The lockscreen bug found in Samsung's S3 and Note 2 I believe are still unfixed. Once they are fixed they still have to be approved by carriers.
  • Glad that they fixed this problem...Hope they will make more security things :)
  • Of course Apple moved fast here, glad they did to. They needed to protect their customers' accounts and this lets people see that Apple is serious about security flaws as well. This is very good news for everyone.
  • Glad one less flaw in system but would be nice if there was a better way then 2 step verification since on the road I don't always have cell coverage.
  • If you don't have cell coverage you don't have internet so you can't login. If you have internet (wireless) and you don't have cell coverage than don't use 2 step verification.
  • Security is paramount in these days. Better to be over secure than under.
  • I'm glad they are constantly on their toes for creating new security and trying to patch loop holes for security issues. Sad thing is, I cannot upgrade due to losing my precious Jailbreak. :(
  • Good thing I did two step I guess.
  • Man, it seems like one Apple issue after another. You would think they would be more on their toes considering how hard the entire world watches them.
  • Not good that there was this bug in the first place, but like many readers, I'm glad they fixed it so quickly.