Apple disables iForgot password recovery following major security vulnerability
Apple has temporarily blocked its iForgot password recovery feature for Apple IDs, following the discovery of a major security weakness on Friday.
First discovered by The Verge, the hole allowed a malicious hacker to use your email address and date of birth to reset your password through Apple's own set of password recovery tools. It was a simple process, using a modified URL to fool the security questions into providing full access to a user's Apple ID settings.
Yesterday, Apple beefed up security on users' accounts by rolling out a two-step authentication system, which couldn't be used via the security loophole. However because most users aren't yet on the system, the folks in Cupertino made the right call by turning off password recovery until things are fixed. It's worth noting that the company jumped on the situation fairly quickly.
“Apple takes customer privacy very seriously,” Apple told AllThingsD in a statement. “We are aware of this issue, and working on a fix.
"Two-step verification is an even more robust process to ensure our users’ data remains protected. We are now offering our users the choice to take advantage of this additional layer of security.”
If the two-step verification feature is enabled, each time you try to log-in on a new device a security code will be sent via SMS or the Find My iPhone app available from the App Store. The two-step feature can be turned on by going to the Apple ID website and enabling it via the security tab, for users in the US, UK, Australia, Ireland, and New Zealand. Users are having to wait up-to three days for the feature to be enabled.
Update The iForgot system is now back online following downtime. Things look to be back to normal, as the malicious URL no longer works.