Update: Apple has taken the iForgot page offline “due to maintenance.” Now that it is safe, this is how it was done.

Update 2: iForgot is back online and the security hole has been fixed.

A “massive security hole” in Apple’s account management page discovered by The Verge allows anyone to reset your Apple ID password using nothing more than your birthday and email address, completely bypassing your security questions. The trick involves a modified URL that seems to fool the site into skipping the security questions and other verification steps, allowing anyone to gain access to your iTunes, App Store, and other Apple accounts within minutes.

If you use Apple’s iForgot page, you are directed to the options below after entering your email and DOB so it would appear that the hack gets around this.

Screen Shot 2013-03-22 at 2.54.12 PM

However, according to The Verge, your account is apparently safe from this exploit if you use Apple’s new 2-step authentication (instructions in video above. J/K go here).

Way to go Apple in getting everyone on board with the 2-step!

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Mike Beasley's favorite gear