Yesterday Apple implemented an optional two-step verification system for Apple ID accounts, allowing users to set a dedicated device and use a recovery code to strengthen the security of Apple accounts. With two-step verification, it is impossible for people to access and manage your Apple ID without access to your password and a verification code sent to your “trusted” device.
If you haven’t yet activated two-step verification, your Apple ID could potentially be in jeopardy. The Verge is reporting that a new exploit has been discovered that allows anyone to reset the password of an iTunes account that does not use two-step verification.
All that’s necessary is your date of birth and your email address. Using a modified URL (which The Verge did not reveal due to security reasons) for Apple’s iForgot password recovery page, a potential account thief only needs to enter your Apple ID email address and your birth date in order to successfully reset your password, bypassing all of your security questions.
We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand. Out of security concerns, we will not be linking to the website in question.
Apple’s iForgot page typically allows users to reset a password after entering an Apple ID, a birth date, and two security questions. The password is then reset right on the page. With the hack, the security questions are skipped, giving anyone a way to hijack an iTunes account.
If you didn’t have enough incentive to enable two-step verification yesterday, you should definitely head right over to the Apple ID management page in order to start the process. Accounts with two-step verification enabled are not vulnerable to the hack because after asking for an ID, Apple asks for the second security code rather than a date of birth.
Some people, myself included, were given a three day waiting period before two-step verification can be enabled, due to a forced password change (mine was not secure enough). If you have a three day wait, you are vulnerable to attack, and The Verge has rightfully recommended temporarily altering your date of birth to keep your account safe until Apple can implement a fix.
At this point, the URL necessary to hijack accounts has not gone public, but it is only a matter of time before it does.