When it comes to user security at Apple, it’s one step forward, two steps back.
Yesterday, the company belatedly announced long-needed two-step verification security for Apple IDs, only two years after Google rolled out the protective measure for its users. Today comes word of a massive security flaw that reportedly lets anyone reset your Apple account password if they know your email and your birthday.
(See also: Apple Finally Gets Serious About User Security)
But here’s the punch line: While two-step verification would protect Apple users from this exploit, the company has subjected all requests to activate the security measure to a three day delay. Even then, two-step verification is only available to users in the U.S., the UK, Australia, Ireland, and New Zealand.
How To Protect Yourself
A step-by-step guide to exploiting this vulnerability is still available online, although we won’t link to it here. Basically, it involves pasting in a modified URL on Apple’s iForgot page when prompted to answer the date-of-birth security question to reset your password.
The surest way to protect yourself in the short term — i.e., without two-step verification — is to change your birthday, the Verge’s Chris Welch writes. To its credit, Apple has already disabled its password reset page, presumably to disrupt any attempts to hijack user accounts. With any luck it will have the flaw fixed as soon as possible, although the company has yet to make any public statements regarding the flaw.
This turn of events follows by just days an earlier Apple security faux paux. The company released iOS 6.1.3 for the sole purpose of fixing a lock-screen bypass that let users with a knack for expert timing access an iPhone’s contacts and photo library. Yet later that day it become clear that the update contained yet another lock-screen bypass flaw.
This password reset hack is considerably more destructive than the lockscreen problem, which essentially only allows a would-be hacker to peek at a stolen iPhone’s contacts and photo library. Still, it’s certainly been a bad week for Apple in the user-security department.
We’ve contacted Apple and will update if and when we hear back.
Update:According to the Verge, Apple acknowledges the vulnerability and says it’s working on it:
Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.