Apple on Friday fixed a serious flaw in its iForgot password reset web page that could have allowed an attacker to reset a victim's account with just an email address and date of birth.
Apple took its iForgot password reset page down for several hours on Friday after a document reportedly began circulating on the web explaining how to bypass the security questions Apple asks before allowing a person to change their password.
The exploit relied on a manipulated URL to trick Apple's iForgot page into authorising a password reset without answering the security questions used to challenge the account holder. It meant that an attacker would only need to know the victim's date of birth and Apple ID to reset their password, and so gain access to Apple services such as iTunes.
Apple began prompting Apple ID account holders to beef up their account credentials with additional security questions last April, according to ZDNet’s sister site CNET, which received a confirmation from Apple that the flaw had been fixed.
Apple site 9to5Mac identified a Chinese-language hacking site as the source of the exploit. An English language hacking site also published a variation of the attack, detailing how to exploit a cross-site scripting flaw on Apple's password reset page.
The exploit was published on the day that Apple launched two-factor authentication for Apple ID accounts, which would have prevented the attack for anyone that had enabled it. Once activated, the feature replaces the security question based verification with a 4-digit code sent to the user's mobile device that can, for example, be used to authorise a purchase.