Forgot your password?
typodupeerror
Security Apple

Apple Support Allowed Hackers Access To User's iCloud Account 266

Posted by samzenpus
from the let-me-in dept.
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
This discussion has been archived. No new comments can be posted.

Apple Support Allowed Hackers Access To User's iCloud Account

Comments Filter:
  • by west (39918) on Sunday August 05, 2012 @02:41PM (#40888251)

    But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.

    The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.

    • by jkflying (2190798)

      Then have optional 2-factor auth. It's not that hard...

      • by Anrego (830717) *

        Recovery will still be the weak point.

        Parent is on the right track though. You need some way to decide in advance how much of a pain it will be to recover down the road. Personally I'd love an option where they made it very difficult, even if at a cost to myself (like they actually verify my identity.. and charge me $200 for the time..).

    • by tomhath (637240) on Sunday August 05, 2012 @02:51PM (#40888339)
      True, but Gramma wouldn't link all her devices like that. One account compromised shouldn't get you remote root access to every other device
      • by ilsaloving (1534307) on Sunday August 05, 2012 @03:00PM (#40888399)

        Actually, it's entirely possible she could, because Apple's iCloud makes it that easy.

      • by Splab (574204)

        Why not?
        Gain access to my email and you got at least 5 years worth of data to plow through, you should be able to figure out what sites I'm using and get password resets on most of them - and it's indexed by Google to make life easier for hackers.

        On top of that, even the sites that require more information, you would probably be able to get through my mail account.

    • So you post a password reset code to her house. Or you charge her $1 on the credit card that she used to pay for the phone for the reset. Or you send it to another email address that she entered when she created it.
    • by Lisias (447563)

      I don't see that massive unhappiness when banking security locks people accounts or any other measure taken when suspicious activities are detected.

      On the other hand, I don't see someone of a Bank's help desk doing such mistake neither.

      On the long run, you really gets what you paid for.

      • by west (39918) on Sunday August 05, 2012 @10:27PM (#40891083)

        Funny, I just read a story about how HSBC had basically locked a young women's college fund (~$10K) away until she personally visits their offices in Great Britian along with appropriate documentation. (They closed the branches in her country...) It will cost her half the money (and a week's wages) to go and collect it.

        So, not *everybody* is happy with a bank making absolutely sure that they don't give it to the wrong people :-).

    • by AmiMoJo (196126)

      I'm just amazed that there is no two-factor authentication for remotely wiping devices.

    • by cshbell (931989) on Sunday August 05, 2012 @08:06PM (#40890373)

      But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.

      This is a problem that bites both ends. Consider this real-world scenario that happened to me last week:

      I work for a senior care organization. One of our resident, a cheerful 92-year-old woman, uses her AT&T email frequently to communicate with family and friends; she's fairly savvy, actually. However, she is starting to suffer from cognitive problems, which have caused her to forget her password. When we tried to reset her password and walked through security questions, she's also having trouble remembering the answers to those questions. We called AT&T and explained the situation, but they understandably (and rightfully) treated our request as a hostile attempt to access the account and would not help us.

      She's the legitimate owner of her account -- how can she be helped? This may seem like an extreme situation, but these problems will only increase as we all continue our digital lives and begin to age.

      Password and account verification is a difficult problem to solve. If there's a silver bullet, I haven't heard of it yet.

  • by ZorinLynx (31751) on Sunday August 05, 2012 @02:42PM (#40888265) Homepage

    This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

    "What was the name of your first pet?" Hell you can find that with Google.

    "What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

    Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

    • by sabri (584428) * on Sunday August 05, 2012 @02:46PM (#40888293)

      This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

      "What was the name of your first pet?" Hell you can find that with Google.

      "What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

      Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

      Perhaps you should go back and read the article (just the summary will do): the "hacker" socially engineered an Apple support "engineer" to bypass the security questions. So he did not even need to google them.

      • by Telvin_3d (855514)

        So far the quote "They got in via Apple tech support and some clever social engineering that let them bypass security questions." is the only bit of information. It's hard to say what is covered under "clever social engineering" or "bypass" without more details. Did the hacker just do an incredible job of fast talking or is this a case where "clever social engineering" means they dug up security question answers that the author (and tech support) figured were un-discoverable?

        • by Macrat (638047)

          And this report is coming from someone associated with Gizmodo.

          This whole report could be staged.

        • by Lisias (447563)

          It's hard to say what is covered under "clever social engineering" or "bypass" without more details

          But you can do some educated guess. 99% of the time, the victim of the scam claims the intellectual superiority of the scam to disguise the intellectual inferiority of themselves.

          Paint the perpetrator as a genius, and perhaps people will not figure out how actually stupid you were.

      • idk, but to me this seems like another case of a "news outlet" (to use the phrase loosely) creating news... like that one site did a while back with antennagate.
    • What, do you think they verify if your answer is factually correct?

      A person could find out what school you went to, while no one but you is going to know you put in "The Napoleonic Wars" as the acceptable response.

    • by Quazion (237706)

      You don't have to use the real answer to these questions. Its just another password, but one with a hint.
      Now that I am thinking of it, time to change all the security questions to the same hard to guess answer.

    • by Nerdfest (867930)

      I actually use completely unrelated responses to these question and store them in a password manager as well. Of course with a password manager, they're never really needed.

      • by sco08y (615665)

        I actually use completely unrelated responses to these question and store them in a password manager as well. Of course with a password manager, they're never really needed.

        Some sites ask for security questions when they detect no cookie.

      • I type in a lot of random gibberish and accept the fact I will never be able to recover my password.
    • by tkprit (8581)

      True that, but some sites let you define questions. "Street your best friend lived on when she was twelve plus last name of her then-crush." My sister can't guess these. (Ofc her memory's shot to shit from opiates but w/e).

    • Never answer the question accurately. Instead, use the question as a hint for your real answer. If it asks for the name of your elementary school, try to pick out something of interest like a fond memory or fact regarding the school that you don't blab to everyone, for example.

      However, this has little to do with the article at hand. The question was completely bypassed without needing an answer. Apple just let him right in.

      • Just use a password safe, and generate passwords to use as the answers to those questions. You could have a special password file which contains all the answers, in case your primary password file is corrupted.

        You can put anything in those fields. It doesn't have to be the actual answer. It doesn't even have to be words.

    • by ccguy (1116865)

      This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

      I'm more pissed by the fact that the questions *can't be changed* and everyone asks the same ones. Seriously, how is it possible that both my bank and a torrent site make me tell them the name of the first school?

      Questions must be user defined (a fucking string) instead of coming from a list of the same 5 or 6 questions that everyone asks.

      Plus some of them just don't apply worldwide. The 'maiden name' of a mother may be something not trivial in the US, but in many countries the wife never changes her

    • by MacGyver2210 (1053110) on Sunday August 05, 2012 @03:21PM (#40888573)

      This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

      "What was the name of your first pet?" Hell you can find that with Google.

      If it's so easy, kindly tell me my first pet's name, my date of birth, the city I was born in, the make of the first car I drove, my first school's name, my mother's maiden name, and the answer (or even question) to my 'other' security question? Keep in mind these need to be formatted exactly as I have entered them, and not as you may have copied them from a public record.

      Security questions are plenty secure, as long as you don't have a path to just avoid them entirely, as Apple so kindly provided here.

      • I was born in "ew0M-?6IMpZr". At least, that's what my password generator told me this time. It'll tell me something different for the next website I create an account on.

    • by TCM (130219)

      "What was the name of your first pet?" Hell you can find that with Google.

      Which is another problem these days.

    • by Shetan (20885)

      Why do you have to answer the questions with the correct answers? As long as you remember how you answered them, it doesn't matter if the answers are actually correct. Your first pet could be George W. Bush. Your elementary school could be Starfleet Academy.

      • by gmhowell (26755)

        If my first pet was a goat, I think 'George W. Bush' would be the perfect name for it.

    • by mark-t (151149)

      "What was the name of your first pet?" Hell you can find that with Google.

      Wanna make a bet on that?

    • The worst security question setup I've ever seen by far has to be my College's Oracle PeopleSoft (eServices, Blackboard, etc). The security question is: "Excluding the state you currently live in, what other state would you most like to live in?" And you have to answer with a fucking dropdown list of the other 49 states!
  • by sabri (584428) * on Sunday August 05, 2012 @02:48PM (#40888311)
    Now here is the question: would Apple be liable for the damages? Of course, they will have an EULA waiving all liabilities, but in a case like this where it is clearly Apple's failure to adhere to their own security framework, one could argue that Apple would be liable for all damages, plus a bit extra for all the inconvenience. Not to mention the bad press...
    • by arbiter1 (1204146)
      I think even though they do waive all liabilities in the EULA when they don't even adhere to their own policy itself I think that removes the waiving of liabilities on their end to allow them to be sued. Kinda Like if a site did that for their EULA but stored all PW and CC info as plain txt. since they didn't do anything to protect data they shouldn't be allowed to say you waive liability when they get hacked.
  • A neighbor had a similar problem several years ago - but that was with her bank account. Someone convinced the online support person to help her and as a result she lost the contents of her checking and savings accounts. No, the bank did not refund the money.

    All this shows is that if a hacker knows enough about you to convince someone else that they are you, you can lose a great deal. This guy should count himself lucky.

    It's a very fine line between providing good customer support and helping them, and b

    • Did she try suing the bank? I can't imagine what judge would seriously allow the bank to get away with that if it were through no fault of her own.

      • Honestly, his neighbor sounds like my neighbor.

        My neighbor is not a native English speaker, he doesn't read English very well, and he's the least likely to fight back when somebody scams him because on one hand he doesn't know it's even possible to fight back and on the other hand he doesn't have a good support network (unless you count me, and personally, I'm not too keen on doing his paperwork for him).

    • by Nerdfest (867930)

      A friend of mine once forgot his wallet, needed money, so went to a branch of his bank near my place. He convinced them to give him a couple of hundred bucks from his account even though he had no ID. He got the money, and them yelled at them for giving it to him ... a bit rude, but I can understand his concern. People are very easy to talk into things. Nice people feel like dicks for turning down a perfectly reasonable request from a 'nice' person.

    • I had something similar happen. My spouse's ex transferred my car insurance to another car. I only found out by accident because I just happened to make an inquiry a few days later and the phone person started talking about an entirely different car.

      It's unfortunate, but companies in general are going to have to start using better security, and consumers are just going to have to suck that up. If your life can be ruined by one wayward phone call, then there is simply no choice in the matter. It must be

  • by icebike (68054) * on Sunday August 05, 2012 @02:52PM (#40888345)

    Had the user set up Two Factor authentication, his Google stuff probably would have been safe"

    As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.

    As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
    I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.

    Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
    to one single point of security.

    And what would he have done if he was just Joe Corporate Drone?

    He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.

    Seriously? contacts at Google and Twitter?
    1) very few people have that kind of contacts.
    2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??

    • by game kid (805301)

      Seriously? contacts at Google and Twitter? 1) very few people have that kind of contacts. 2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??

      I agree; never heard of this guy and he has who-you-know power at those two places...I smell fish and not of the pleasant filet kind.

      • by icebike (68054) *

        That you never head of him means nothing.

        Google Him. The story is everywhere.

        Apparently a lot of people know him. And some of those guys reached into Google and Twitter for him. And Google and Twitter RESPONDED!!!

        Could you do that?

  • by Ryanrule (1657199) on Sunday August 05, 2012 @02:55PM (#40888367)

    Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay

    First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh

    City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&

  • You cannot stop a successful social engineering attack. Technology cannot solve a problem like this. Only a change in policy can.

  • by wonkey_monkey (2592601) on Sunday August 05, 2012 @03:27PM (#40888595) Homepage

    Yesterday a hacker gained access to Mat Honans...

    Let me introduce to you to Mr Apostrophe [wikipedia.org].

    (An editor at gizmodo)

    (an editor at Gizmodo)

    allowing him... He was also able...

    No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)

    apple iCloud account... google and twitter accounts... apple customer support

    Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.

    down to a brute force attack, however today it has come out

    A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.

    Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.

  • by davidwr (791652) on Sunday August 05, 2012 @03:51PM (#40888733) Homepage Journal

    My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.

    Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,

    "Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."

    That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.

    • by stephanruby (542433) on Sunday August 05, 2012 @06:21PM (#40889751)

      "Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."

      "Listen I'm in Istanbul (or where ever), I've just been robbed. They took everything, including my wallet!!! I don't know if there is an Apple Store around here. Please help me mitigate the damage before they get access to my emails and my bank accounts through my iPad (I was in the middle of using my iPad so the screen wasn't locked). "

      Now, I'm not saying this is the script they used, most likely not. I'm sure the hacker used a much better one, probably one that's based on the hard-earned experience and real world testing of thousands of other hackers and scam artists that came before him.

      I'm just saying that it takes excellent ongoing training to make sure none of your staff gets bamboozled by this kind of scenario. Hard coded corporate rules and security manuals are all well and good for 99% of the scenarios that come up during the normal course of business hours. But what happens if someone tells you a very plausible story and tells you they could very well die if you don't give them access to their account. Most likely that scenario is not listed in your security manual, and the manual prevents you from disclosing their account information, but it's not the first time, nor the last time, that a customer service representative will ignore the poorly written manual that came from above, and use their own personal judgement to make a quick decision on the spot for the perceived welfare of the caller.

  • Take that gizmodo!
  • the sheer destructive/malicious -ness of this attack makes it sound very personal (either something against the user or Gizmodo - the compromise gave access to Gizmodo's Twitter feed).

    you can't execute a social engineering attack without knowing something about the user.... some random attacker might have been able to get enough info from past his blog posts to launch the attack, but this smells more personal. Apple uses out of wallet info for their security questions - the whole point of OOO is asking ques

  • At 5:00 PM, they remote wiped my iPhone

    At 5:01 PM, they remote wiped my iPad

    At 5:05, they remote wiped my MacBook Air.

    And no backups because the "Cloud" is the backup, right? HAHAHAHA. This is beyond stupid. Seriously.

    If the best Apple can come up with against device theft is the ability to remotely wipe them, then their customer base deserves everything they get. Personal responsibility needs to be burned into those morons with pain. Lots of pain. Maybe then they'll pay attention to what the fuck they are

You don't have to know how the computer works, just how to work the computer.

Working...