Apple fixes major security exploit which left thousands of Apple ID accounts at risk

Apple has issued a fix for the major security hole in the Apple ID login page that could have potentially affected thousands of users. Earlier, in response to the discovery of the security exploit, the company had taken down the iForgot password reset page after a step-by-step tutorial was posted online to hack anyone’s Apple ID account.

Despite Apple rolling out two-step verification for logins a couple of days ago, many users had not switched over from the old system, which has been shown to be vulnerable to hacking. Any such user’s password could have been easily reset using nothing but an email address and the date of birth.

British court states that Samsung did not copy Apple

Apple has issued a fix for the security exploit (Image credit: Reuters)


But now Apple has seemingly issued a fix that plugs the hole and bought the "forgot password" page back online. iMore reported that the security exploit, which involved manipulating a URL, was no longer active.

Apple’s quick fix comes after it was discovered that it was possible to access the page even it was taken down via other means. The only way for a user to protect themselves was to activate Apple's two-step authentication. However, some users had been told they would have to wait three days before the new system would get activated. All such accounts could have been potentially been a target.

Even though the problem seems to have been fixed now, it is strongly recommended that iCloud and Apple ID users sign up for the two-step authentication as soon as possible.

Earlier, The Verge reported that the exploit involves pasting in a modified URL while answering the date-of-birth security question on Apple's iForgot page. However, the website, among others, declined to reveal the link which had the step-by-step guide.

Apple’s two-step verification has only been floated out in the US, UK, Australia, Ireland and New Zealand. So before Apple issued a fix, all user accounts outside those countries were vulnerable.

The weaknesses in the Apple ID login and password system came in the spotlight last year after technology journalist Mat Honan revealed how hackers used the loopholes in the verification system to reset his password, worm their way into his entire digital life and wipe everything, including emails, pictures stored on iCloud and his work.

In recent times, the company’s services have been found to be quite vulnerable to attacks. In the case of iOS, Apple tried to fix a couple of ways of circumventing the passcode of the iPhone’s lock screen. However, there has been another, more facile, exploit discovered for devices running iOS 6.1.3 update.

Published Date: Mar 23, 2013 10:06 am | Updated Date: Mar 23, 2013 10:06 am