Forced to update their apology ... Apple. Photo: AP
A major security flaw was discovered on Friday that made it possible to easily change another user's Apple ID password and hijack the account.
Tech news site The Verge said it found the step-by-step tutorial online. The tutorial showed users how to use a modified Apple URL to gain access to someone else's Apple ID account and reset that person's password.
The flaw was patched late on Friday. While it was still active it allowed anyone to reset an Apple user's password by using just their email address, date of birth and the modified URL.
The Verge did not share the link to the tutorial out of security concerns, but it recommended that users enable Apple ID's two-step verification in order to protect their accounts. Two-step verification is an optional safeguard users can add that sends a new code to their phones each time they want to access their Apple account.
Unfortunately, though, some users reported that after they tried to enable two-step verification they were told that they must wait three days before the added safeguard started working. The process is also only currently available to users in the US, UK, Australia, Ireland and New Zealand. Users in other countries cannot use this process to protect their accounts.
"Apple takes customer, privacy very seriously," company spokeswoman Trudy Muller said. "We're aware of this issue and working on a fix."
The company took down the "iForgot" password reset page on Friday, which is the key part of the hijacking process. The password reset page was later back online and the vulnerability appeared to be fixed.
The security flaw was discovered shortly after Apple sent out updates to patch up another flaw on the iPhone that made it possible for users to get past the phone's lock screen without entering the necessary passcode.
LA Times and Fairfax Media