Updated 4:36pm to include Apple’s comment.
A new vulnerability in Apple’s password reset system may allow hackers to change the passwords for you Apple accounts using only an email address, birthday, and a “modified URL,” according to the Verge.
“Apple takes customer privacy very seriously. We’re aware of this issue and working on a fix,” an Apple spokesperson told VentureBeat.
The spokesperson explained that while the company looks into the issue, it has taken down the “iForgot” feature that allows you to reset your password if you’ve forgotten it.
The details on the tactics used to change the passwords are murky. The Verge obtained step-by-step instructions, which reportedly includes using the correct combination of your email and birth date, along with a link that tricks the system, and avoids answering any security questions. While it does involve a small piece of personal information — your birthday — most people include this on their social profiles. It’s an easy find.
Thus far, we haven’t heard of anyone affected by this attack, and we have reached out to Apple for confirmation that the vulnerability exists and any future steps Apple is taking toward fixing it.
Yesterday, Apple announced that it added two-factor authentication to its iCloud and Apple ID logins. It seems that if you already enabled two-factor authentication, you’re safe from this attack.
Two-factor authentication is the process by which you receive a code — in Apple’s case, a code is sent by SMS or through the FindMyiPhone app — that you must provide along with your password. It’s sometimes seen as a barrier-to-entry, but two-factor really does put an extra obstacle between your data and anyone who is not you.