Huge security hole allows anyone to reset your Apple password with nothing but an email and the user's birthday!
Your Apple ID is the login you use to access iTunes and purchase music,
videos, and apps. Millions of people have their credit card information
tied to their Apple ID, and how this password problem security occur?
Normally the password reset process has 6 steps:
In general, there are 6 steps to reset password.
1. Enter your Apple ID to begin the process on iforgot.apple.com
2. Choose an authentication method - "Answer security questions" is the one we would use.
3. Enter your birthday.
4. Must answer two security questions.
5. Enter a new password.
6. A prompt saying your password has been reset.
As step 4 finish, a complex URL come across, they could be effectively
hacked together by performing a reset on your own password, collecting
the data, and tweaking it just slightly for someone else’s account,
thereby letting hackers skip straight from step 3 to step 5. The new
exploit affects all customers who have not yet enabled the new two-step
authentication feature. To make matters worse, some users who enabled
two-step authentication yesterday, have to wait 3 days before it kicks
in, meaning some might still be vulnerable to the exploit.
What a terrible thing! Luckily, the process didn't leak out in full
before the whole thing was revamped, and there haven't yet been reports
of anyone falling victim to this flaw.
“Apple takes customer privacy very seriously,” an Apple spokesperson
told AllThingsD in a statement. “We are aware of this issue, and working
on a fix. Two-step verification is an even more robust process to
ensure our users’ data remains protected. We are now offering our users
the choice to take advantage of this additional layer of security.” If
the two-step verification feature is enabled, each time you try to
log-in on a new device, a security code will be sent via SMS or the Find
My iPhone app available from the App Store to get in. The two-step
feature can be turned on by going to the Apple ID website and enabling
it via the security tab, for users in the US, UK, Australia, Ireland,
and New Zealand. Users are having to wait up-to three days for the
feature to be enabled.
If you haven’t enabled two-step verification to your Apple account, we strongly recommend that you do so as soon as possible.
By the way, I want to declare that anyone who uses iTunes Backup Password Recovery
to unlock iTunes backup password, should adhere to the basic moral.
Don’t use this smart tool to violate the privacy of others.