Update: Apple has taken the iForgot page offline “due to maintenance.” Now that it is safe, this is how it was done.

Update 2: iForgot is back online and the security hole has been fixed.

A “massive security hole” in Apple’s account management page discovered by The Verge allows anyone to reset your Apple ID password using nothing more than your birthday and email address, completely bypassing your security questions. The trick involves a modified URL that seems to fool the site into skipping the security questions and other verification steps, allowing anyone to gain access to your iTunes, App Store, and other Apple accounts within minutes.

If you use Apple’s iForgot page, you are directed to the options below after entering your email and DOB so it would appear that the hack gets around this.

Screen Shot 2013-03-22 at 2.54.12 PM

However, according to The Verge, your account is apparently safe from this exploit if you use Apple’s new 2-step authentication (instructions in video above. J/K go here).

Way to go Apple in getting everyone on board with the 2-step!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s