Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

The Verge is reporting that the Apple ID login system has been compromised and passwords can be reset using only the user's email address and date of birth. Users who have activated the new two-step verification process are not affected by the hack.

Appleid
We've been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page. It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
Out of concerns for user security, The Verge did not share any information about how to perform the hack, and Apple has not publicly commented on the issue.

Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed.

The two-step verification system for Apple ID accounts was introduced yesterday and is supposed to provide users with a login sequence that is nearly impossible to hack for someone without physical access to the user's devices.

Update 1:29 PM: Apple has taken its iForgot password reset system offline.

iforgot_offline
Update 8:48 PM: Apple's iForgot system is active once again, and iMore has confirmed that the issue has been fixed.

Top Rated Comments

(View all)

19 months ago
Apple is just a horrible web services company. They've never done much right in the space.
Rating: 33 Votes
19 months ago

Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities. :rolleyes:


Yes, yes it is worse.
Rating: 20 Votes
19 months ago

Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities. :rolleyes:


Yea. I would say it is far worse. One involves your financial information, address and potential identity theft.

The other involves targeting ads based on your searches.

Glad you understand how different the two things are.
Rating: 20 Votes
19 months ago

Yea. I would say it is far worse. One involves your financial information, address and potential identity theft.

The other involves targeting ads based on your searches.

Glad you understand how different the two things are.


Seriously, it confounds me think how anyone could believe otherwise... This new hole is extremely disconcerting.
Rating: 16 Votes
19 months ago
I better activate the two-step verification then!
Rating: 10 Votes
19 months ago

One involves a bug, a 'security hole' that will quickly be patched and shouldn't have existed.

The other involves a truly immoral company who track you without your knowledge.

Glad you understand how different the two things are.


Really? without your knowledge? When you sign up for their services - you accept their TOS.

And tracking you is different than exposing actual personal information. Unless you want to start spreading some FUD that Google exposes your PERSONAL information to 3rd parties.
Rating: 9 Votes
19 months ago

Compared to whom? Microsoft? Google? The latter of which are considerably worse. :confused:


When is the last time either of them allowed a trivial password reset to anyone who knows your birthday (information often shared on Facebook)?
Rating: 9 Votes
19 months ago
Unfortunately, it appears if you have a .mac email address as your AppleID, you're screwed. Signing in with that, I have no option to enable the 2-step security process (I do have the option with my .me/iCloud AppleID). And since Apple will not allow you to transfer purchases to another AppleID (something I've wanted to do for years), I'm stuck with that. Which is, apparently, now insecure. Thanks, Apple!
Rating: 8 Votes
19 months ago

Yeah, you're right. It wasn't really a good comparison on my part.

Just wanted to make the point that it's not like this was intentional, although that doesn't justify it. I believe Apple do take privacy very seriously (unlike other companies, as aforementioned), and it's regrettable something this important has been overlooked by them.


I believe main reason you posted was to "slam" Google and you hoped you would get internet hi-5s. That backfired, didn't it.

Google takes privacy very seriously too. And just like any other company - they've made mistakes or had issues. But if you think security is NOT important to Google then you don't understand their business.

If they lose people's trust or have a really bad security issue - they are finished. Their business model RELIES on keeping information secure.
Rating: 8 Votes
19 months ago
I set my password to "incorrect".

That way, whenever I forget it, it reminds me right away by saying

"Your password is incorrect"
Rating: 8 Votes

[ Read All Comments ]