Apple has suspended the iForgot password page from its website after a report claimed that there was a security hole that allowed unauthorized password resets. The method involved manipulating a URL generated on reset of a password. Update: Apple has informed The Next Web that it is working on a fix for the issue, saying that “Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”
The Verge was first to report the problem, which was then independently verified by iMore. The method was pitifully simple to use, as it required only a detailed URL which could be manipulated by simple text editing. This is less of a hack and more of a pure vulnerability. Apple was notified by many publications about the issue and is apparently working to fix the issue as the page is now down.
Apple yesterday enabled two-factor verification for passwords, which eliminates this issue for any user which had it active. But many users likely do not yet have two-factor turned on, and there are some edge cases that require people to wait up to three days before enabling it. If they had recently changed their password, for instance. It seems likely that this was an issue that cropped up due to the rollout of two-factor.
It’s not clear exactly why the vulnerability was reported publicly before it was fixed. The general policy with easily exploitable vulnerabilities is to exercise responsible disclosure by informing a company and giving them time to fix a problem unless there is already evidence of it being exploited in the wild. Obviously, if there was evidence that it was being exploited then alerting the public is the best thing in cases like this. Which may be the case as the vulnerability was said to be detailed step-by-step on a public website.
We detailed yesterday exactly how to enable two-factor authentication for your Apple ID, so you should definitely go check that out. It prevents a host of simple hacks and issues from threatening your account security.