There's an important omission in the article and the top comments here don't mention it either: Accidentally tapping "Allow" does not allow the attacker to change the password on their web browser. When you tap Allow on your device, you are shown the 6-digit pin on your device and you can use it to change your password on your device. The final part of the attack is that the attacker calls you using a spoofed Apple phone number and asks you to read out the 6-digit pin to them. If you choose to give out the 6-digit pin to the attacker over an incoming phone call, then they can use it in their browser to reset your password.
It's surprising that Krebs chose to omit this little detail in the security blog and instead seemed to confirm that someone could completely give away access to their account while sleeping.
He describes this in the very first paragraph of the article:
>Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.
> Ken didn’t know it when all this was happening (and it’s not at all obvious from the Apple prompts), but clicking “Allow” would not have allowed the attackers to change Ken’s password. Rather, clicking “Allow” displays a six digit PIN that must be entered on Ken’s device — allowing Ken to change his password. It appears that these rapid password reset prompts are being used to make a subsequent inbound phone call spoofing Apple more believable.
Fair, and good to know, but I could still easily see reasonable people (not just 80 yr olds with their Obamaphone) falling for this.
And even if not, there's a severe annoyance factor here that could be simply removed by Apple rate limiting these requests. Why can they send you hundreds of these in a short time?
This happened to me and my wife (each starting a few days apart) in 2021, or maybe 2022 but no later. It started with a couple requests a day, then ramped up to every hour or something. IIRC we also both got a couple SMS claiming to be from Apple.
As soon as it ramped up I set up both accounts to use recovery keys, which is a move I had planned anyway on grounds that it should not be in Apple's (or someone coercing/subverting Apple, be it law enforcement or a hacker) power to get access to our accounts. This obviously stopped the attackers dead in their track.
For similar reasons I set up advanced data protection as soon as it was available and disabled web access. Only trusted devices get to see our data, and only trusted devices get to enroll a new device.
Interesting that using the recovery key stopped the issue for you, but does not seem to do its job now.
From the article "Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.
KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. "
It's not a recent approach, but this is a recent campaign using it against many people. Someone likely got a list of hacked passwords from some recent dump and is going through the apple accounts from it.
Wow! You'd think they'd rate limit these! Once you've done it twice, go to once every 15 minutes, then hour, then 4 hours, than day, etc. Like bad logins.
That message is horribly designed if it allows a password reset to happen on any other device after you click allow. It specifically says "Use this iPhone to reset". I'd have assumed it asks the person who clicked allow to set a new password, on the same device they clicked allow.
Then again if it shows on the watch too (and isn't just mirroring a phone notification, since it ignores quiet mode), I can't imagine the idea is you click allow on your watch and then type a password on its keyboard?
I don't think there's any danger in clicking "allow." There's still a 2FA step after that, and then you have to choose a new password. All of the danger comes from the phone call, where they presumably try to wheedle the 2FA code from you.
> That message is horribly designed if it allows a password reset to happen on any other device after you click allow
This was a lifesaver when my 90 year old mother forget her iMac password (and I forgot that I had created a second admin account on her machine.) After getting locked out of the iMac, we were able to reset it because we were able to get into her iPad (which she forgot the pin to, but fortunately we found it written down.)
At some point the ability to trigger these prompts (or ones like them, like the Bluetooth-based setup new device prompts that were in the news last year) on Apple devices is itself the problem right?
Obviously it must be possible to reset ones password, but from the article it's apparently possible to make 30 requests to reset ones password in a short amount of time.
What possible non-malicious reason could there be for that to happen?
None, it's just that they haven't bothered adding a check for them. This isn't necessarily an indictment of them. It make sense in hindsight, but between sprints, OKRs/KPIs, and promotion packets, it's easy to let non-sexy functionality like these slip through the cracks.
There is already a variant where they try to get someone to say „yes“ and just use a recording of it to use as „proof“ that you agreed to some contract.
You probably not going to get a voice clone from someone saying "hello?" 100 times. However, you don't really need to "MFA Bomb" people to clone their voice, just call them with a plausible sounding reason that will cause them to engage in an extended conversation (eg. "hey this is your uber/doordash driver/doctor/school/daycare).
Another reason to not to use phone (or the numbers) calls to verify users even with so called 'voice identification or voice ID' which can easily be broken with advanced voice cloning.
I am confused. What does happen after clicking allow? Does Apple just provide a password reset form to the person on the iForgot website or does it show up only on the device?
> he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line)
This happened to me exactly once, and it was two days after I ordered a new MacBook from the online Apple Store. Since I was expecting a shipment, I almost picked it up. But instead I called Apple Support myself, and asked if they had called me, and they said they had not.
The problem with adding rate limits, at least a global per user rate limit, is that you then create a new denial of service issue, preventing people from being able to recover their account.
I've been getting these on my LinkedIn account since a couple of days. Every few hours I get an email with a magic login link. They seem legitimate, originating from various locations around the globe.
Happened to me yesterday, I was baffled but then I found that you can request the one time password just using the email associated with the LinkedIn account, so the password wasn't compromised
I have changed the password, main mail and in the privacy settings of LinkedIn removed the visibility of the email
At least on for icloud sign ins (not sure about password resets, too lazy to check), clicking "allow" doesn't allow the sign in, it only displays a 6 digit code that you have to enter to log in.
he received a call on his iPhone that said it was from Apple support.
"I said I would call them back and hung up," Chris said, demonstrating the proper response to such unbidden solicitations."
We're long-conditioned to assume that calling a large company and reaching a human will be difficult to impossible - and if we succeed, it will be an unpleasant experience. Much more so for a major tech company.
As far as this scam succeeds, it's partially due to intentional business designs.
A few weeks ago, we had a major problem with our Apple developer account (which is registered to my name). For days, I tried everything to avoid calling customer support (for the above reasons) and only agreed when our release team started panicking. I was more than surprised how incredibly good Apple‘s support team was. Recovering from the problem was quite difficult (and the circumstances that lead to it made me question Apple’s SW dev capabilities), but the support experience was simply perfect.
This seems like it is entirely a human problem, not any kind of technical failure. The fix is the same as it always was -- people need to be trained to say no by default, do not trust inbound calls ever, and never ever share your credentials.
If you follow that advice, this attack poses no risk other than annoyance. If you do not give your password to the creep who calls you claiming to be apple support, you will be okay.
A system that lets an attacker send hundreds of push notifications, effectively making a phone unusable until you click "allow" is a technical failure. So is one that lets an attacker spoof Apple's caller ID. Sure, that one is a failure with caller ID in general, but it's not beyond Apple's ability to special-case its own numbers.
> people need to be trained to say no by default, do not trust inbound calls ever
This really sucks though. It basically means that our current phone system is inherently broken and something that was potentially useful before is no longer useful due to malicious actors.
This happened to me about 2 yrs ago. It catches you off guard when you receive a spoofed call from Apple Care as you are being bombarded with PW reset requests from your iCloud. Of course, the hacker is really good and answers all the Apple-related questions fluidly. I believe my account data came from the big Ledger hack, so they were targeting crypto holders. iCloud security was so weak back then!
I've been too immersed in university happenings recently. It took me clicking on the link and reading until "password reset feature" to realize that this wasn't some bizarre phishing attack involving Masters of Fine Arts degrees.
I’m still disappointed by Apples implementation of security keys. I want to be able to prevent all 2FA methods other than security keys, but it still seems possible in certain flows to authorise a new login with another iOS device making it vulnerable to this attack.
Interesting. I was contemplating moving to security keys (which according to the setup flow "replaces verification codes" but IIUC you're saying one can still fall back to verification codes in some flows?
Yet another reason why phone number verification is the most insecure way to verify users and it doesn't matter if a company like Apple is using it or your bank using so called 'Military grade encryption'. The point still stands [4] with countless examples [0] [1] [2] [3].
Unless you want your users to be SIM swapped, there is no reason to use phone numbers for logins, verification and 2FA.
I think we should start doing product liability lawsuits to any organization capable of having user financial data affected from their account, that is using SMS one time codes as either default, enabled by default, and the heaviest legal remedies to financial organizations where that's the only option
we should also update PCI DSS compliance or whatever relevant security standard to call SMS one time codes totally insecure
we can also reach insurers these companies use and tell them to force removal of SMS one time codes
do a multi pronged assault on SMS one time passcodes
It still seems wrong to me that we, as a society, have basically accepting this level of crime as just a constant sort of background noise in daily life.
The lack of rate limiting is surprising, either on the server side or the OS side (or both).
I mean they already lock my iPhone after too many failed attempts with my passcode and it gets longer each time, I feel like the lock here should be the same.
I think the way the attacker probes if victim is using an iPhone is they Message SPAM using Beeper-style use of Messages servers and interpreting error codes.
I am posting this review here because I want to be of help to everyone out there, who in one or two ways has been scammed by online bitcoin
investment platforms. After going through a lot to recover my bitcoin although many people told me it’s impossible. If you've lost your bitcoin as a result of investing in binary options, trading platforms, your account was hacked or other bitcoin related scams or lost money to scammers online in whichever ways then You’re not alone. I lost $97,950 to skyrockettrade. Being a scam victim myself, I tried several means to recover my funds all to no avail, till I came across a Cyber Asset Recovery. He literally saved my life, all i lost to these fake investors skyrockettrade was recouped in just a few days (a total of $97,950 USD was recovered, Kindly send a message to the contact below if you’ve been in such situations and you are seeking to recover your funds
The fatigue part: if you clicked allow, and the hackers called you for the second step, but you responded "I understand you're a hacker and are wanting to steal from me in some way, but I am only going to give you incorrect pin numbers, so please stop with the reset dialogs and update your database not to try it again with me" .. would they stop? /s
Quite shocking how oblivious a lot of ostensibly tech savvy people are to the existence of hardware security tokens. Yubikeys have been around for over 15 years now, although Apple only added support for hardware tokens recently.
B-but iPhones are secure and are the best and Apple spends so much money on security to keep us safe and don't need any government/EU oversight at all. Proof that Apple's "it's for your own good" has always just been marketing.
(Don't get me wrong, let's go after Google, MS, Sony, et al too!!!)
tanelpoder|1 year ago
It's surprising that Krebs chose to omit this little detail in the security blog and instead seemed to confirm that someone could completely give away access to their account while sleeping.
WheatMillington|1 year ago
>Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.
madcadmium|1 year ago
> Ken didn’t know it when all this was happening (and it’s not at all obvious from the Apple prompts), but clicking “Allow” would not have allowed the attackers to change Ken’s password. Rather, clicking “Allow” displays a six digit PIN that must be entered on Ken’s device — allowing Ken to change his password. It appears that these rapid password reset prompts are being used to make a subsequent inbound phone call spoofing Apple more believable.
mattmaroon|1 year ago
And even if not, there's a severe annoyance factor here that could be simply removed by Apple rate limiting these requests. Why can they send you hundreds of these in a short time?
lloeki|1 year ago
This happened to me and my wife (each starting a few days apart) in 2021, or maybe 2022 but no later. It started with a couple requests a day, then ramped up to every hour or something. IIRC we also both got a couple SMS claiming to be from Apple.
As soon as it ramped up I set up both accounts to use recovery keys, which is a move I had planned anyway on grounds that it should not be in Apple's (or someone coercing/subverting Apple, be it law enforcement or a hacker) power to get access to our accounts. This obviously stopped the attackers dead in their track.
For similar reasons I set up advanced data protection as soon as it was available and disabled web access. Only trusted devices get to see our data, and only trusted devices get to enroll a new device.
JKCalhoun|1 year ago
It is kind of scary too — lose the key and no one can get you back in to your account.
vdddv|1 year ago
KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. "
viraptor|1 year ago
antihero|1 year ago
https://support.apple.com/en-gb/HT213154
unknown|1 year ago
[deleted]
fortran77|1 year ago
mcintyre1994|1 year ago
Then again if it shows on the watch too (and isn't just mirroring a phone notification, since it ignores quiet mode), I can't imagine the idea is you click allow on your watch and then type a password on its keyboard?
xsmasher|1 year ago
fortran77|1 year ago
This was a lifesaver when my 90 year old mother forget her iMac password (and I forgot that I had created a second admin account on her machine.) After getting locked out of the iMac, we were able to reset it because we were able to get into her iPad (which she forgot the pin to, but fortunately we found it written down.)
rekoil|1 year ago
Obviously it must be possible to reset ones password, but from the article it's apparently possible to make 30 requests to reset ones password in a short amount of time.
What possible non-malicious reason could there be for that to happen?
gruez|1 year ago
_def|1 year ago
ManBeardPc|1 year ago
gruez|1 year ago
rvz|1 year ago
Another reason to not to use phone (or the numbers) calls to verify users even with so called 'voice identification or voice ID' which can easily be broken with advanced voice cloning.
Sarkie|1 year ago
honzaik|1 year ago
viktorcode|1 year ago
chatmasta|1 year ago
This happened to me exactly once, and it was two days after I ordered a new MacBook from the online Apple Store. Since I was expecting a shipment, I almost picked it up. But instead I called Apple Support myself, and asked if they had called me, and they said they had not.
gnicholas|1 year ago
Zetobal|1 year ago
WatchDog|1 year ago
mavamaarten|1 year ago
standing_user|1 year ago
I have changed the password, main mail and in the privacy settings of LinkedIn removed the visibility of the email
m-p-3|1 year ago
donovanallen|1 year ago
prmoustache|1 year ago
How hard is it to just type a code really. In the end to fight against push bombing you end up with push notification that ask you for a code anyway.
antihero|1 year ago
https://support.apple.com/en-gb/HT213154
gruez|1 year ago
unknown|1 year ago
[deleted]
WarOnPrivacy|1 year ago
"I said I would call them back and hung up," Chris said, demonstrating the proper response to such unbidden solicitations."
We're long-conditioned to assume that calling a large company and reaching a human will be difficult to impossible - and if we succeed, it will be an unpleasant experience. Much more so for a major tech company.
As far as this scam succeeds, it's partially due to intentional business designs.
metanonsense|1 year ago
someguydave|1 year ago
chrisjj|1 year ago
So... Apple Watch "quiet" is broken??
brookst|1 year ago
rootusrootus|1 year ago
If you follow that advice, this attack poses no risk other than annoyance. If you do not give your password to the creep who calls you claiming to be apple support, you will be okay.
ascorbic|1 year ago
dimgl|1 year ago
This really sucks though. It basically means that our current phone system is inherently broken and something that was potentially useful before is no longer useful due to malicious actors.
kevrmoore|1 year ago
chefandy|1 year ago
type_Ben_struct|1 year ago
lloeki|1 year ago
antihero|1 year ago
https://support.apple.com/en-gb/HT213154
dm|1 year ago
JohnMakin|1 year ago
rvz|1 year ago
Unless you want your users to be SIM swapped, there is no reason to use phone numbers for logins, verification and 2FA.
[0] https://news.ycombinator.com/item?id=36133030
[1] https://news.ycombinator.com/item?id=34447883
[2] https://news.ycombinator.com/item?id=27310112
[3] https://news.ycombinator.com/item?id=29254051
[4] https://www.issms2fasecure.com
saagarjha|1 year ago
mhdhn|1 year ago
yieldcrv|1 year ago
we should also update PCI DSS compliance or whatever relevant security standard to call SMS one time codes totally insecure
we can also reach insurers these companies use and tell them to force removal of SMS one time codes
do a multi pronged assault on SMS one time passcodes
shuntress|1 year ago
nerdjon|1 year ago
I mean they already lock my iPhone after too many failed attempts with my passcode and it gets longer each time, I feel like the lock here should be the same.
A better prompt would also go a long way.
CodeWriter23|1 year ago
MaxSamuel|1 year ago
lilianaalba9|1 year ago
[deleted]
gabykatherine|1 year ago
[deleted]
paul_h|1 year ago
cyari6908|1 year ago
[deleted]
alessiabeatrice|1 year ago
[deleted]
woadwarrior01|1 year ago
https://support.apple.com/en-us/HT213154
recursive|1 year ago
someguydave|1 year ago
fennecbutt|1 year ago
(Don't get me wrong, let's go after Google, MS, Sony, et al too!!!)
ghodith|1 year ago