Home Apple Users Face Major Security Threat, But Wouldn’t Had Apple Acted Faster

Apple Users Face Major Security Threat, But Wouldn’t Had Apple Acted Faster

When it comes to user security at Apple, it’s one step forward, two steps back.

Yesterday, the company belatedly announced long-needed two-step verification security for Apple IDs, only two years after Google rolled out the protective measure for its users. Today comes word of a massive security flaw that reportedly lets anyone reset your Apple account password if they know your email and your birthday.

(See also: Apple Finally Gets Serious About User Security)

But here’s the punch line: While two-step verification would protect Apple users from this exploit, the company has subjected all requests to activate the security measure to a three day delay. Even then, two-step verification is only available to users in the U.S., the UK, Australia, Ireland, and New Zealand.

How To Protect Yourself

A step-by-step guide to exploiting this vulnerability is still available online, although we won’t link to it here. Basically, it involves pasting in a modified URL on Apple’s iForgot page when prompted to answer the date-of-birth security question to reset your password.

The surest way to protect yourself in the short term — i.e., without two-step verification — is to change your birthday, the Verge’s Chris Welch writes. To its credit, Apple has already disabled its password reset page, presumably to disrupt any attempts to hijack user accounts. With any luck it will have the flaw fixed as soon as possible, although the company has yet to make any public statements regarding the flaw.

This turn of events follows by just days an earlier Apple security faux paux. The company released iOS 6.1.3 for the sole purpose of fixing a lock-screen bypass that let users with a knack for expert timing access an iPhone’s contacts and photo library. Yet later that day it become clear that the update contained yet another lock-screen bypass flaw.

This password reset hack is considerably more destructive than the lockscreen problem, which essentially only allows a would-be hacker to peek at a stolen iPhone’s contacts and photo library. Still, it’s certainly been a bad week for Apple in the user-security department.

We’ve contacted Apple and will update if and when we hear back.

Update:According to the Verge, Apple acknowledges the vulnerability and says it’s working on it:

Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.