Apple has plugged a worrying security hole that allowed an unauthorised party to change a user's Apple ID password just by using the correct email address and date of birth.
The worrying flaw, discovered on Friday, allowed hackers to send a modified URL to the company's iForgot webpage and reset a user's password without having to answer additional security questions.
The company soon responded by temporarily removing the iForgot page from the web and promised it was "working on a fix."
Now, less than 24 hours later, the iForgot page has been restored and the problem has been resolved, according to the iMore website which has verified that the hack is no longer active.
Dancing the two-step
The discovery of the simple work-around came just one day after Apple rolled-out the two-step verification security tool.
This requires users to confirm their identity through a "trusted device" like an iPhone or iPad, whenever changes are made to their Apple ID or iCloud account.
However, such was the rush to sign-up for the simpler (there's no need for security questions) and more secure account protection tool that when yesterday's problem emerged, there was a three-day queue to switch.
This left those stuck with the old password reset method vulnerable until Apple fixed the flaw late on Friday night.
Source : techradar[dot]com
Post a Comment