Apple fixes security flaw in iForgot password recovery system

Apple has fixed a security flaw, which allows hackers to unauthorisedly change a user’s Apple ID password just by using the correct email address and date of birth.

The flaw could be exploited by hackers to send a modified URL to the company’s iForgot webpage and reset the password without furnishing additional security questions.

Apple’s security flaw comes in the midst of launch of a new level of security to iCloud and Apple ID accounts that require two-step verification to avoid passwords from being stolen.

According to Apple, the exploit didn’t work on the accounts of users who have activated the two-step verification in which users will receive a 4-digit code through SMS from Apple to a trusted device.

The process mandates users to authenticate their identity by entering both password and a 4-digit verification code through their devices prior to making any modifications to the user’s account or purchasing an iTunes, App Store, or iBookstore from a new device.

In addition, Apple has advised several users to wait three days before they could enable the two-step verification setup and it is only available in the US, Britain, Australia, Ireland, and New Zealand.

Globally, there are about 500 million active Apple ID accounts, which consumers use for the company’s various stores and online services, including iCloud.

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up