Apple Suspends iForgot Password Reset Page to Patch Security Hole

The accounts of users who didn't activate 2FA were at risk

By on March 23rd, 2013 11:20 GMT

On Friday, we learned that Apple rolled out two-step authentication to allow users to better protect their accounts. Shortly after, reports started coming in about a serious vulnerability that could be exploited to reset passwords.

According to The Verge, the accounts of users could have been hijacked by anyone possessing the victim’s email address and date of birth.

Apple shut down its iForgot password reset page and immediately started working on addressing the issue.

However, while the Cupertino giant was working on the fix, the accounts of users who didn’t activate two-factor verification were at risk.

Unfortunately for some users who attempted to activate the new security measure, they were informed that it would take up to three days before two-step authentication was enabled, leaving their accounts vulnerable to hijacking.

Currently, the iForgot page has been restored. The Verge reports that the password reset exploit no longer works.

Comments