Yesterday, Apple has rolled out two step verification to protect the hijacking of Apple Accounts and iCloud Accounts. But, just after this announcement, a vulnerability has been discovered that allows attackers to hijack a iCloud or apple account just by entering email and date of birth of victim.
We saw online tutorials that shows how a person can hijack an account just by using Apple’s own tool to hijack some other Apple account. The process was simple and anyone can easily manage to get the answer. This can be done by using a modified URL and Apple’s iForgot page.
Like two step verification on other websites, Apple’s two step verification identifies a user accessing Apple account from a new device. For verification, Apple sends a numerical code on your iPhone via text message. You need to enter this code on the website to authenticate yourself.
At the time of writing this report, Apple’s password reset tool was down. This may be an indication that company is working on patching the vulnerability.
