Apple’s iForgot password reset page is back up and running after a security hole that allowed unauthorised resets was discovered. In recent days Apple launched two-factor authentication.
Apple this joined internet giants like Dropbox, Facebook and Google to deploy two-factor authentication to keep password hackers at bay. Instead of just putting in a password each time you want to download an app, a unique 4-digit verification code is sent to a trusted device and has to be inputted before the transaction goes ahead.
However, just as Apple was rolling out the new service a security hole was discovered that allowed unauthorized password resets to occur on accounts still using single-step authentication. Users who had already moved to two-factor authentication were free of the threat.
Apple took down its iForgot password reset page to fix the vulnerability.
According to iMore the vulnerability enabled a hacker who had access to a victim’s date of birth and Apple ID to send Apple a URL that allowed them to reset the password without needing to answer any security questions.
Cloud security image via Shutterstock