Apple fixes iForgot security hole that compromised Apple ID passwords

That was fast. Earlier today, Christian told you that a major security hole had been discovered involving Apple’s iForgot page that allowed someone to reset your Apple ID password with just your birthdate and email address.

Unsurprisingly, Apple immediately took the password page down after getting word of the vulnerability. And after just a few hours of ‘maintenance,’ the page is back up and—we’re happy to report—once again safe to use…

The Verge was the first to report the security hole:

“The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.”

The discovery of the exploit came just one day after Apple introduced a two-step verification process that, once enabled, requires you to verify your identity from one of your devices before making account changes or purchases.

Of course, we recommended enabling the process to help protect your Apple ID. But doing so requires a complex password. And folks who don’t have one must set one up, with a 3-day waiting period, leaving them vulnerable.

But the good news is, Apple has fixed the exploit, and the iForgot page is safe to use again. We still, however, recommend setting up two-step verification for the added security.

Categories: