Previously, after providing a victim’s Apple ID and date of birth, an attacker could send a URL to Apple that would change the password for that account, without needing to answer any security questions. In response, Apple blocked access to the password reset page, and a short while later took the entire site down in light of another loophole that still allowed the attack to be performed.
This vulnerability came at an interesting time, just a day after Apple began to roll out its two-step verification system. Users who had already enrolled in the new system seem to have been immune from the password reset vulnerability.
Unfortunately some users were held in a three-day waiting period for enabling two-step verification, while others live in countries where two-step verification is not currently available.
Today’s events serve as an important example of why two-step verification is a good idea. People interested in getting two-step verification set up can find out how with iMore’s tutorial.
Update: Details on how the exploit worked can be found here.
We may earn a commission for purchases using our links. Learn more.
Apple closes its stores in France to prepare for a national lockdown
In order to comply with the country's national lockdown mandate, Apple has closed its retail stores in France until at least November 1.
Live transcript: Here's what Apple said at its Q4 20 earnings call
We're transcribing Apple's Q4 earnings call live. Catch up on everything being said.
Apple's latest macOS Big Sur beta mentions three unreleased Macs
The latest macOS Big Sur beta appears to reference three new, unreleased Macs. Could these be related to Apple silicon?
Automate your viewing habits with the best HomeKit TVs
HomeKit TVs are finally here, and they are awesome! Take your viewing experience to the next level with the best HomeKit TVs that are available now.