A major security flaw was discovered Friday that makes it possible to easily change another user’s Apple ID password and hijack the account.
Tech news site The Verge said it found the step-by-step tutorial online. The tutorial shows users how to use a modified Apple URL to gain access to someone else’s Apple ID account and reset that person’s password.
The Verge did not share the link to the tutorial out of security concerns, but it recommended that users enable Apple ID’s two-step verification in order to protect their accounts. Two-step verification is an optional safeguard users can add that sends a new code to their phones each time they want to access their Apple account.
Unfortunately, though, some users are reporting that after they try to enable two-step verification they are getting messages saying that they must wait three days before the added safeguard starts working. The process is also only currently available to users in the U.S., U.K., Australia, Ireland and New Zealand. Users in other countries cannot use this process to protect their accounts.
“Apple takes customer, privacy very seriously,” company spokeswoman Trudy Muller told the Times. “We’re aware of this issue and working on a fix.”
The company has not completely fixed the issue, but it has taken down the iForgot page, which is the key part of the hijacking process.
The security flaw was discovered shortly after Apple sent out updates to patch up another flaw on the iPhone that made it possible for users to get past the phone’s lock screen without entering the necessary passcode.