Apple suspends password resets after critical account-hijack bug is found (Updated) | Ars Technica
Update: Apple restored the password resets on Friday night.
Apple suspended the password-reset functionality for its iCloud and iTunes services following a published report that hackers could exploit it to hijack other people’s accounts.
The password reset page stopped loading a few hours after The Verge reported there was an online tutorial that provided detailed instructions for taking unauthorized control of Apple accounts. The report didn’t identify the website or the precise technique, except to say it involved “pasting in a modified URL while answering the DOB security question on Apple’s iForgot page.”
“It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand,” reporter Chris Welch wrote. “Out of security concerns, we will not be linking to the website in question.”
A few hours later, the news site published a separate post quoting Apple officials as saying they were “aware of the issue, and working on a fix.”
Those who had already enrolled in the two-factor authentication protection Apple unveiled on Thursday were reportedly safe from the exploit. Those who hadn’t signed up were presumably vulnerable if an attacker knew their birthdate. Given the common practice of disclosing birthdays on Facebook and other social media, the information nee