Apple fixes password reset security flaw, iForgot page back online

Apple fixes password reset security flaw, iForgot page back online
iForgot page is back online

Apple has plugged a worrying security hole that allowed an unauthorised party to change a user's Apple ID password just by using the correct email address and date of birth.

The flaw, discovered on Friday, allowed hackers to send a modified URL to the company's iForgot webpage and reset a user's password without having to answer additional security questions.

The company soon responded by temporarily removing the iForgot page from the web and promising it was "working on a fix."

Now, less than 24 hours later, the iForgot page has been restored and the problem has been resolved, according to the iMore website which has verified that the hack is no longer active.

Dancing the two-step

The discovery of the simple work-around came just one day after Apple rolled-out the two-step verification security tool.

This requires users to confirm their identity through a "trusted device" like an iPhone or iPad, whenever changes are made to their Apple ID or iCloud account.

However, such was the rush to sign-up for the simpler (there's no need for security questions) and more secure account protection tool that when yesterday's problem emerged, there was a three-day queue to switch.

This left those using password reset method vulnerable until Apple fixed the flaw late on Friday night.

TOPICS
Chris Smith

A technology journalist, writer and videographer of many magazines and websites including T3, Gadget Magazine and TechRadar.com. He specializes in applications for smartphones, tablets and handheld devices, with bylines also at The Guardian, WIRED, Trusted Reviews and Wareable. Chris is also the podcast host for The Liverpool Way. As well as tech and football, Chris is a pop-punk fan and enjoys the art of wrasslin'.