Security Hole Allows Apple ID Password Resets with Just Email, Birthdate

Yesterday Apple implemented 2-step authentication security for Apple ID accounts, but unfortunately did not include Canada as part of its launch. Ironically, The Verge reports of an exploit where Apple ID password resets can by achieved with only an email and date of birth, using a modified URL of Apple’s iForgot page (which is currently taken down):

The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.

To add further insult to injury, The Verge further reports some users that signed up for 2-step authentication were told by Apple they had to wait three days to enable the added security protocol, to “ensure no one other than the owner of this Apple ID can set up two-step verification.” This means these users in limbo currently have accounts susceptible to this account reset exploit, and can protect themselves by changing their birthdates.


The timing of this exploit is pretty bad timing for Apple, as 2-step authentication was supposed to protect against such security holes. Expect Apple to possibly release a statement explaining the hole has been closed.

Update 3:27PM: As we predicted, Apple provided a statement to The Verge and said a fix is coming:

“Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.”