Apple ID security issue fixed, password page back online

The page was taken down yesterday, after reports of an exploit that could let hackers with a user's e-mail address and birth date change the user's Apple ID password. The company has fixed the issue.

Edward Moyer
Edward Moyer Senior Editor
Edward Moyer is a senior editor at CNET and a many-year veteran of the writing and editing world. He enjoys taking sentences apart and putting them back together. He also likes making them from scratch. ¶ For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
Expertise Wordsmithery. Credentials Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Apple's two-step verification process, introduced Thursday. Jason Cipriani/CNET

Apple has fixed the security issue involving its Apple ID password-reset page, a vulnerability that had made it possible for hackers with a user's e-mail address and birth date to reset the user's password.

Apple said yesterday that it was aware of the issue and was preparing a fix. Meanwhile, the company had taken the "iForgot" reset page offline for maintenance. Now the page is back up, and Apple has confirmed the fix with CNET.

The security exploit made use of a special URL that got around the need to answer a security question. Apple had added the question step last April.

The exploit didn't work on the accounts of users who had enabled two-step verification, which Apple introduced Thursday. That system does away with the security question in favor of sending a request for a four-digit PIN code to a cell phone. The user enters the PIN along with the typical password.

However, as reported by The Verge, a number of Apple ID holders were told they'd have to wait three days before they could enable the two-step verification setup. Also, at this point, the two-step system is available only in the U.S., Britain, Australia, Ireland, and New Zealand.

There are more than 500 million active Apple ID accounts, which are used for the company's various stores and online services, including iCloud.

Update, 9:40 a.m. PT: We just received official confirmation from Apple that the company has fixed the issue. This story has been updated to reflect that.