Apple fixes dangerous password reset flaw

Summary:A flaw that could allow an attacker to gain access to a victim's account with their Apple ID and date of birth has been fixed.

Apple on Friday fixed a serious flaw in its iForgot password reset web page that could have allowed an attacker to reset a victim's account with just an email address and date of birth.

Apple took its iForgot password reset page down for several hours on Friday after a document reportedly began circulating on the web explaining how to bypass the security questions Apple asks before allowing a person to change their password.

The exploit relied on a manipulated URL to trick Apple's iForgot page into authorising a password reset without answering the security questions used to challenge the account holder. It meant that an attacker would only need to know the victim's date of birth and Apple ID to reset their password, and so gain access to Apple services such as iTunes.

Apple began prompting Apple ID account holders to beef up their account credentials with additional security questions last April, according to ZDNet’s sister site CNET, which received a confirmation from Apple that the flaw had been fixed.

Apple site 9to5Mac identified a Chinese-language hacking site as the source of the exploit. An English language hacking site also published a variation of the attack, detailing how to exploit a cross-site scripting flaw on Apple's password reset page.

The exploit was published on the day that Apple launched two-factor authentication for Apple ID accounts , which would have prevented the attack for anyone that had enabled it. Once activated, the feature replaces the security question based verification with a 4-digit code sent to the user's mobile device that can, for example, be used to authorise a purchase.

Topics: Security, Apple


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.