The Verge yesterday reported that “Major security hole allows Apple passwords to be reset with only email address, date of birth” which pretty much sums up the story, except that the 4th update to the story indicates that the vulnerability has been fixed. It’s worth noting that the exploit apparently didn’t work where Apple’s new two-factor authentication was enabled. Unfortunately, it turns out that the sign-up process for that also has some problems: some people have been told that they can’t sign up for three days. (Tested and confirmed by Sophos.)
So, as Paul Ducklin also pointed out in the Sophos blog, it’s been something of a “good-bad-good-bad week” for Apple, security-wise.
Hat tip to Anders Nilsson for drawing my attention to the issue.
Small Blue-Green World
ESET Senior Research Fellow