Apple fixes iCloud password security hole

Previously unknown vulnerability let hackers hijack accounts.

Apple has fixed a security hole in its iForgot tool that allowed hackers to reset users' Apple IDs using a person's email address and date of birth.

The iForgot tool allows iCloud, iTunes and App Store users to reset forgotten passwords. News of the exploit was found the day after the consumer electronics giant launched two-factor authentification to bolster Apple ID security.

According to a tip-off to The Verge, any customers who had not adopted two-step authentification were vulnerable to a new exploit that allowed anyone to reset account passwords using the email address and the user's date of birth.

A step-by-step guide was published online by cyber criminals explaining how to reset a user password using Apple's own tools.

Hackers were able to use a modified URL while answering the date of birth security question on the iForgot page to reset the password with no other security barriers coming in to play.

The only way for users to protect themselves, it quickly transpired, was to enable two-factor authentification. However, some users had to wait three days for this update to be activated on their account.

"You must wait three days to enable two-step verification. This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification," an automated message read.

The iForgot system was pulled down by Apple approximately four hours after the hole was first reported, with the company admitting the vulnerability existed and that it was "working on a fix".

Approximately eight hours later, the iForgot service was brought back online, with various sources confirming the exploit had been fixed.

It is now generally recommended that users with an Apple ID enable two-factor authentification in the territories where it is available.

Featured Resources

The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation

Free Download

VMware Cloud workload migration tools

Cloud migration types, phases, and strategies

Free download

Practices for maximising the business value of digital infrastructure Consumption-as- a-Service subscriptions

IDC PeerScape

Free Download

Container network security guide for dummies

Enforcing Kubernetes best practices

Free download

Recommended

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks
Cloud

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks

29 Sep 2021
Iboss protects web sessions with remote browser isolation
Cloud

Iboss protects web sessions with remote browser isolation

16 Aug 2021
Most CISOs worry cloud software flaws aren’t being caught
cloud security

Most CISOs worry cloud software flaws aren’t being caught

7 Jun 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Solving cyber security's diversity problem
Careers & training

Solving cyber security's diversity problem

5 Jan 2022