Forgot your password?
typodupeerror
Security Apple

Apple Support Allowed Hackers Access To User's iCloud Account 266

Posted by samzenpus
from the let-me-in dept.
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
This discussion has been archived. No new comments can be posted.

Apple Support Allowed Hackers Access To User's iCloud Account

Comments Filter:
  • by sabri (584428) * on Sunday August 05, 2012 @02:46PM (#40888293)

    This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

    "What was the name of your first pet?" Hell you can find that with Google.

    "What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

    Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

    Perhaps you should go back and read the article (just the summary will do): the "hacker" socially engineered an Apple support "engineer" to bypass the security questions. So he did not even need to google them.

  • by tomhath (637240) on Sunday August 05, 2012 @02:51PM (#40888339)
    True, but Gramma wouldn't link all her devices like that. One account compromised shouldn't get you remote root access to every other device
  • by ilsaloving (1534307) on Sunday August 05, 2012 @03:00PM (#40888399)

    Actually, it's entirely possible she could, because Apple's iCloud makes it that easy.

  • by MacGyver2210 (1053110) on Sunday August 05, 2012 @03:21PM (#40888573)

    This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

    "What was the name of your first pet?" Hell you can find that with Google.

    If it's so easy, kindly tell me my first pet's name, my date of birth, the city I was born in, the make of the first car I drove, my first school's name, my mother's maiden name, and the answer (or even question) to my 'other' security question? Keep in mind these need to be formatted exactly as I have entered them, and not as you may have copied them from a public record.

    Security questions are plenty secure, as long as you don't have a path to just avoid them entirely, as Apple so kindly provided here.

  • by wonkey_monkey (2592601) on Sunday August 05, 2012 @03:27PM (#40888595) Homepage

    Yesterday a hacker gained access to Mat Honans...

    Let me introduce to you to Mr Apostrophe [wikipedia.org].

    (An editor at gizmodo)

    (an editor at Gizmodo)

    allowing him... He was also able...

    No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)

    apple iCloud account... google and twitter accounts... apple customer support

    Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.

    down to a brute force attack, however today it has come out

    A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.

    Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.

  • Re:They Know Best (Score:5, Informative)

    by dsavitsk (178019) on Sunday August 05, 2012 @03:51PM (#40888735) Homepage
  • Re:They Know Best (Score:4, Informative)

    by Anrego (830717) * on Sunday August 05, 2012 @04:22PM (#40888965)

    Sure, but getting the data wasn't a goal here. Infact, they appear to specifically wiped out the data. It's the accounts that are valuable, not what is in them.

"Never ascribe to malice that which is caused by greed and ignorance." -- Cal Keegan

Working...