The Verge is reporting that the Apple ID login system has been compromised and passwords can be reset using only the user’s email address and date of birth. Users who have activated the new two-step verification process are not affected by the hack.
We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
Out of concerns for user security, The Verge did not share any information about how to perform the hack, and Apple has not publicly commented on the issue.
Users who attempted to activate two-step verification but are put into a three-day waiting period are vulnerable to the attack, and concerned users can log into their Apple ID accounts and change their birthdate to something less easily guessed.
The two-step verification system for Apple ID accounts was introduced yesterday and is supposed to provide users with a login sequence that is nearly impossible to hack for someone without physical access to the user’s devices.
Update 1:29 PM: Apple has taken its iForgot password reset system offline.
Update 8:48 PM: Apple’s iForgot system is active once again, and iMore has confirmed that the issue has been fixed.