Apple has fixedinvolving its Apple ID password-reset page, a vulnerability that had made it possible for hackers with a user's e-mail address and birth date to reset the user's password.
Apple said yesterday that it was aware of the issue and was preparing a fix. Meanwhile, the company had taken the "iForgot" reset page offline for maintenance. Now the page is back up, and Apple has confirmed the fix with CNET.
The security exploit made use of a special URL that got around the need to answer a security question. Apple had added the question step last April.
The exploit didn't work on the accounts of users who had enabled two-step verification, which Apple introduced Thursday. That system does away with the security question in favor of sending a request for a four-digit PIN code to a cell phone. The user enters the PIN along with the typical password.
However, as reported by The Verge, a number of Apple ID holders were told they'd have to wait three days before they could enable the two-step verification setup. Also, at this point, the two-step system is available only in the U.S., Britain, Australia, Ireland, and New Zealand.
There are more than 500 million active Apple ID accounts, which are used for the company's various stores and online services, including iCloud.
Update, 9:40 a.m. PT: We just received official confirmation from Apple that the company has fixed the issue. This story has been updated to reflect that.
All the latest Apple news, featuring developments on the iPhone, iPad, Macbooks, OS X and much more.
Dec 3Apple's car letter: What's it driving at?
Dec 2NYPD busts $8 million counterfeit phone scheme
Dec 2Apple factory manager indicted for stealing thousands of iPhones
Dec 2CNET UK podcast 508: Nokia's return and an all-night cat rave