Huge Security Hole Allows Anyone To Reset Your Apple Password With Only Email Address And Date Of Birth

Screen Shot 2013-03-21 at 2.59.15 PM

Apple just made iCloud a lot more secure yesterday by rolling out a two-step authentication process that should keep hijackers at bay. However, a huge security hole was just found that allows hijackers to reset Apple ID passwords with only an email address and your date of birth.

The new exploit affects all customers who have not yet enabled the new two-step authentication feature. To make matters worse, some users who enabled two-step authentication yesterday, have to wait 3 days before it kicks in, meaning some might still be vulnerable to the exploit.


The Verge reports that the exploit involves pasting in a modified URL while answering the DOM security question on Apple’s iForgot page. The exploit is easy enough for just about anyone to manage.

If you haven’t enabled two-step verification to your Apple account, we strongly recommend that you do so as soon as possible. For information on how to complete the two-step authentication, check out our article here.

  • dcj001

    “while answering the DOM security question”

    What is DOM, Buster?

  • RaptorOO7

    Its pretty sad that Apple continues to have issues with security surrounding iOS and now the desktop. I can say though I am glad I got my 2-step authentication done last night before the 3 day waiting period started to happen and at least I can d/l the latest iOS update to my iP5 to patch the issues. This of course is something I couldn’t do on Android due to carriers, OEM’s multiple chipset mfg’s. etc. Not that Android is inferior since it isn’t it’s just a bit more complicated to roll out updates on.

  • JoaoTMDias

    “while answering the DOM security question”

    What is DOM, Buster?

    A representation of a tree of accessible elements in your web pages.
    http://www.w3schools.com/htmldom/default.asp

About the author

Buster HeinBuster Hein is Cult of Mac's Senior News Editor and lives in Phoenix, Arizona. Twitter: @bst3r.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News |