Gaping security holes are a pretty terrifying thing, especially when they involve something as sensitive as your Apple ID. Sadly it seems that immediately after making the paranoid happy by instituting two-step authentication a pretty massive flaw in Cupertino’s system was discovered and first reported by The Verge. Turns out you can reset any Apple ID password with nothing more than a person’s email address and date of birth — two pieces of information that are pretty easy to come across.
There’s a little more to the hack, but it’s simple enough that even your non-tech savvy aunt or uncle could do it. After entering the target email address in the password reset form you can then select to answer security questions to validate your identity. The first task will be to enter a date of birth. If you enter that correctly then paste a particular URL into the address bar (which we will not be publishing for obvious reasons), press enter, then — voilà — instant password reset! Or, at least that’s the story. While we were attempting to verify these claims Apple took down the password reset page for “maintenance.” Though we’ve received no official confirmation from Apple, it seems the company is moving swiftly to shut down this particularly troublesome workaround before word of it spreads too far.
Update: We’ve heard back from Apple on the matter, which stated, “Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.” No real surprises that a fix is in the works, but there you have it from the horse’s mouth.
Update 2: The forgotten password page is back as of late Friday evening — that was (relatively) quick. iMore reports (and we’ve verified ourselves) that the security hole is now closed.