Just this past week, Apple rolled out an updated version their web services to help protect a user’s privacy against hackers and evil-doers. However, in its attempt to make it easier to keep user’s data safe via a new two-step authentication process, the company may have compromised the security of millions of Apple IDs.
The Verge reports that as of press time, accounts of those who haven’t opted into using Apple’s new two-step authentication — which would no doubt consist of an overwhelming majority of Apple’s users, are vulnerable to malicious attack.
Using Apple’s ID iForgot Page, anyone with a user’s email address and date of birth can reset the password for a given account.
From there, that user could gain access to backups and information stored on iCloud. Compounding the issue is the very real possibility that any given account could be subject to a three-day wait before it can even be switched to using the new two-step authentication system. These accounts are fully vulnerable to the password reset exploit and will remain so for as long as it takes Apple to switch on heightened security.
According to The Verge, Apple is working on a fix, though there’s no timeline on when that fix might be available. As of now, iForgot has now been disabled to prevent evil-doers taking advantage of the situation.
Security conscious users should log into their Apple ID via Apple.com and change their birthday to something other than what it actually is.
Read More: Apple Just can’t Get it Right with iOS 6
This issue, comes just days after Apple released iOS 6.1.3, an update that was meant to correct a bug that existed in the first version iOS 6. That bug involved someone being able to circumvent the iOS lock screen and gain access to user’s photos and contacts.
As it turns out that update shipped with another security vulnerability that circumvents a user’s device PIN. In this hack, someone with malicious intent could activate Voice Control using the device’s home button, initiate a call via voice command, and then eject the tray that hold the phone’s SIM card. From the dialogue screen that’s presented iOS would allow them complete access to any onboard contacts and a log of the phone calls recently made by the device. Fortunately, in that case only users of iPhone, iPhone 3G, iPhone 3GS, and iPhone 4 are effected.