Apple ID security hole allows simple hack with email address and DOB

A worrying new security hole allows for an Apple ID to be hacked, simply by knowing the user’s email address and date of birth.

The vulnerability affects all customers yet to upgrade to the two-step verification process, leaving those users’ accounts wide open to anyone who knows those not-exactly-hard-to-track down pieces of basic data.

Tech blog The Verge claims it has been handed a step-by-step tutorial, which remains online (but unpublished by the tech media for obvious reasons) and allows the hack to be easily performed using Apple’s own password reset tools.

All unsanctioned parties have to do is enter the relevant email address into Apple’s password reset site before entering the user’s date of birth as an answer to the security question. If a modified URL is then pasted into the URL bar the password can be easily reset. Scary.

The discovery of such a gaping security hole means that those yet to upgrade to Apple’s new two-step verification service should probably do so very soon indeed.

The new method requires any changes to an iTunes, Apple ID or iCloud account to be verified by a “trusted” device like an iPhone, iPad or another smartphone number and is much more secure.

The service is so far available only in the UK, US, Australia and New Zealand and some users are reporting that the process is now taking three days to activate, leaving them vulnerable in the meantime.

If you’re worried, The Verge suggests going into your Apple ID account and changing your date of birth to throw potential intruders off the scent.

Via The Verge