Apple's password-resetting process has been taken down following the publication of a major security hole that allowed accounts to be accessed with just an email and date of birth. Apple is in the process of fixing the vulnerability.
The password-reset exploit, first reported by The Verge after they received an anonymous tip, involved pasting a certain URL into the browser while answering the date-of-birth security question. This would grant access to the iTunes and iCloud accounts associated with that email address, with which the attacker could do what they liked.
There is no indication of how long the hole has been available to be taken advantage of, or how accounts have been compromised.
Apple is working on a fix, but in the meantime has taken down the password-reset function. The company rolled out a two-step verification process on Thursday, allowing users to tie their account security to a device ? but it takes three days to take effect, so even early adopters were vulnerable to this exploit.
The company offered the following statement pending further announcements on the security hole:
Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.