The day after Apple rolled out a two-step verification system for purchase on the iTunes and App stores, a new vulnerability appeared that meant it was possible to hack into an Apple ID using just the email address and date of birth of a target.
Reports claim that a malicious user could provide a victim’s Apple ID and date of birth, and then submit a modified URL in the date-of-birth box enabling them to change the password for that account without answering any security questions.
If successful the attacker would gain access to the users iTunes and iCloud accounts. The security hole was initially identified by iMore.
Last year Apple suspended AppleID password resets following the hack of journalist Mat Honan’s iCloud account. At the time the company told its support staff not to process phoned in password change requests. An Apple customer service representative confirmed that Apple was halting all AppleID password resets by phone.
Following news of the latest hack Apple took the iForgot page offline. The company issued the following statement: "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix."
According to reports, Apple initially blocked access to the password-reset page, but another loophole emerged that still allowed the attack to be performed leading the company to take the entire site down.
The Verge claimed that although Apple had taken the page down it was "still possible to access the page via other means."
With AppleID's vulnerable, Apple users were advised to activate Apple's new two-step authentication process, however in some cases there was a three-day wait before the new authentication process could be added to an account.
In addition, the two-step authentication process is currently only available in six counties, including the UK.
An alternative way to protect an account could be to change your date of birth to something else.
Apple has now fixed the problem and iForgot is now back online. However, it is still recommended that all iCloud and Apple ID users activate the two-step authentication as soon as possible.
On Apple's website the company explains why it is advisable to set up the new two-step authentication process. The company writes: "Your Apple ID is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices. Two-step verification is a feature you can use to keep your Apple ID as secure as possible."
Apple explains the process for setting up the new authentication process.
You need to visit the appleid.apple.com, site, referred to by Apple as: My Apple ID.
The select "Manage your Apple ID" and sign in. The next step is to select "Password and Security." And then, under Two-Step Verification, select Get Startedand follow the on-screen instructions.