If you haven’t already set up your 2-step verification for iCloud/Apple ID, you should probably go and do it now. Right now. The Verge has reported that virtually anyone can log in to someone else’s Apple ID account using a simple reset using just an email address and date of birth of the account owner.
We’ve been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
Thankfully, the massively popular tech site didn’t post a link to the tutorial, and we will not be looking for it either. If you don’t know how to set up your 2-step verification, check our simple tutorial. And get it done as soon as you can. Those with the 2-step verification in place are not vulnerable. However if you’re one of the frustrated users being forced to wait three days for it to become active, you are vulnerable.