by Brent Dirks
March 22, 2013
Only a day after Apple rolled out a voluntary two-step verification process for iCloud and Apple IDs, The Verge reports on a major security flaw for users who haven’t turned on the feature. Anyone who knows just your email address and date of birth can reset your password, using Apple’s own security tools. According to The Verge, a step-by-step tutorial explains exactly how to exploit the flaw, which can be accessed by pasting a modified URL when answering the date of birth security question on Apple’s iForgot site:
It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand. Out of security concerns, we will not be linking to the website in question.Maybe Apple needs to seriously think about making the two-step verification process mandatory, especially if security holes like these continue to pop up. Update: The iForgot password reset page is now "currently unavailable due to maintenance."