A vulnerability that allowed hackers to change a user’s password was fixed by Apple, the security bug involved Apple’s password-reset web page. The bug made it possible for anyone with a user’s date of birth and e-mail address to change the subscriber’s password.
Apple’s spokesperson said they were aware of the situation a fix was in the works yesterday. In the meantime, the “iForgot” reset page was taken down and remained offline to protect users and for maintenance. Apple has confirmed that the issue was fixed and the web page is back online.
A particular URL was needed for the security exploit to work, the URL allowed hackers to bypass a security question that needs to be answered before the password can be changed.
The exploit did not affect users that had set up an extra security step, which allows users to request a four digit pin to be sent via text message to their cell phone; the two-step verification was introduced by Apple Thursday. The pin number can be then entered on the iForgot page along with the user’s password.
According to reports, as an added security measure several Apple accounts had to wait three days before they could set up the two-step verification. There are over 500 million Apple ID account holders which are used for Apple’s online services and stores. The new the two-step security measure is only available in the United States, Australia, Britain, New Zealand and Ireland.