Less than a day after Apple announced a new two-factor authentication to better protect Apple ID and iCloud accounts, the company was scrambling to fix another major security hole with its own password reset tool.
As first reported earlier Friday by The Verge, this new exploit allows anyone to gain access to private accounts by pasting a modified URL and them adding a victim’s e-mail address and birth date on the iForgot password reset page. Soon after learning of the exploit, the iForgot page was taken down for “maintenance.”
Even those users that enabled Apple’s new two-step verification process yesterday remain vulnerable since there’s apparently a three-day waiting period to “ensure that no one other than the owner of this Apple ID can set up two-step verification.” An email will be sent to help establish validity.
Apple’s new system, available only in the United States, United Kingdom, Australia and New Zealand, uses a 14-digit recovery key that can be activated to access an otherwise locked account and without needing a personal security question.
Earlier this month a video surfaced detailing how someone could bypass the lock screen of a password-protected iPhone to access the device’s phone app, contacts, voicemail and photos.
Regarding this more recent security hole, Apple issued a statement to The Verge later Friday that said, “Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”
In addition to starting the process to enable two-step verification, users can mitigate risks of someone hijacking an account by changing their birth date. To do so, open the Privacy & Security button at the bottom of the Apple Account Settings page.