Recent 'MFA Bombing' Attacks Targeting Apple Users (krebsonsecurity.com) 15
An anonymous reader quotes a report from KrebsOnSecurity: Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple's password reset feature. In this scenario, a target's Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Don't Allow" to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user's account is under attack and that Apple support needs to "verify" a one-time code. [...]
What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven't even been acted on by the user? Could this be the result of a bug in Apple's systems? Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he's convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed "AirDoS" because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop -- a file-sharing capability built into Apple products.
Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple's fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple's rate limit on how many of these password reset requests can be sent in a given timeframe. "I think this could be a legit Apple rate limit bug that should be reported," Bagaria said.
What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven't even been acted on by the user? Could this be the result of a bug in Apple's systems? Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he's convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed "AirDoS" because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop -- a file-sharing capability built into Apple products.
Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple's fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple's rate limit on how many of these password reset requests can be sent in a given timeframe. "I think this could be a legit Apple rate limit bug that should be reported," Bagaria said.
OMG (Score:5, Funny)
Re: (Score:1)
this is what happens when you open up other app stores /s
No. This is what happens when 21st Century users make 20th Century users look like security experts.
Re: (Score:3)
this is what happens when you open up other app stores /s
No. This is what happens when 21st Century users make 20th Century users look like security experts.
No, this is just the usual human stupidity. How many times have people been told if they get a call from "Microsoft support" claiming their machine has been compromised to simply hang up? And yet, here we are with Mac users doing the exact same stupid thing.
Re: (Score:2)
this is what happens when you open up other app stores /s
No. This is what happens when 21st Century users make 20th Century users look like security experts.
No, this is just the usual human stupidity. How many times have people been told if they get a call from "Microsoft support" claiming their machine has been compromised to simply hang up? And yet, here we are with Mac users doing the exact same stupid thing.
No, this has nothing to do with that. This is about what happens when users tell Apple that they have forgotten their passwords. Apple's servers send out a message to the user's signed-in devices asking them to authorize the password reset request, and those devices pop up a message on the screen.
The problem is that any jacka** who gets your email address can hit Apple's servers and issue a password reset request, and all your machines will get a password reset confirmation. And if that jacka** happens t
Re: (Score:2)
this is what happens when you open up other app stores /s
No. This is what happens when 21st Century users make 20th Century users look like security experts.
No, this is just the usual human stupidity. How many times have people been told if they get a call from "Microsoft support" claiming their machine has been compromised to simply hang up? And yet, here we are with Mac users doing the exact same stupid thing.
No, this has nothing to do with that. This is about what happens when users tell Apple that they have forgotten their passwords. Apple's servers send out a message to the user's signed-in devices asking them to authorize the password reset request, and those devices pop up a message on the screen.
The problem is that any jacka** who gets your email address can hit Apple's servers and issue a password reset request, and all your machines will get a password reset confirmation. And if that jacka** happens to have a few thousand/million compromised bots in a botnet that can all issue password reset requests against the same account, one every few seconds, the resulting DOS attack can potentially prevent its victims from using their devices.
Hmmm.
I wonder if that's why earlier today, I was just Invited to Install iOS 16.7.7 (and did), just a few days after Installing iOS 16.7.6 ?
Nope. Doesn't appear so.
Re: (Score:2)
Sorry to Reply to myself.
This Vulnerability appears to actually have been addressed earlier, in iOS 16.7.6 .
Look at the first Entry, under "Accessibility":
https://support.apple.com/en-u... [apple.com]
BTW, just below "Accessibilty", in the "CoreCrypto" Section, could it be a possible Fix for the "GoFetch" Hardware Vulnerability?
Apple needs more recovery options... (Score:4, Interesting)
Apple needs some recovery options that can both reset passwords, and 2FA stuff, so people have a chance to get their accounts back. Ideally, recovery options that don't prompt the user, so that repeated spamming can't be done. This is why Google Authenticator is nice, although that is vulnerable to phishing and someone appearing as an "Apple rep" to ask for the six digit code.
For example:
1: Apple sends a registered mail to the address on file, restricted delivery to the sender's first name. This requires an ID, so should be able to allow the user to reset everything. There should be some rate limitation on this because registered mail deliveries are expensive, perhaps one per 1-3 months, with the user given the option to pay for it if needed after that. However, this is one sure way to ensure a user is whom they claim to be.
2: Going to an Apple Store with two forms of government ID, perhaps a notarized statement. This is a lot of work, but it is better than being locked out and unable to access anything on the account.
3: 2-3 codes spaced by an hour. Yes, waiting three hours to get one's account back sucks, but "Apple Support" calling three times to get a code is something that even dumper people will realize is preposterous... it is possible, but a lot less likely for someone to fall for that, than one code.
4: YubiKeys for recovery, not authentication. This way, if one loses all their FIDO tokens, they have not lost their account, but the YubiKeys will be useful for that.
What Apple needs to realize is that people wanting to compromise accounts are acting on a higher level. When I worked at a university, it wasn't uncommon for people to not just be relieved of their iDevices at gunpoint, but the PIN demanded of them. Now that device security is active, the muggers will just demand the AppleID password as well. Ideally, and this would need to be an option done country, by country, the use of registered mail is probably the best, if all else fails, provided the user keeps their mailing address current. This is slow and takes a while, but far better than losing an account.
Re:Apple needs more recovery options... (Score:4, Interesting)
2: Going to an Apple Store with two forms of government ID, perhaps a notarized statement. This is a lot of work, but it is better than being locked out and unable to access anything on the account.
LOLNO. I don't want Apple Retail to have the ability to reset my credentials. That's up there with having a Microsoft Account that also unlocks my PC (I only use local accounts).
How about just supporting an industry standard 2FA method like TOTP or HOTP? No random pop-ups on a display on a device in another state, or sending codes via SMS. Ask to reset the password and the system asks the person making the request for the 2FA code before continuing with the process. They wont be able to answer so that would shut the whole problem down cold as far as this social engineering attack.
Re: (Score:2)
That would be nice. Nothing beats the Bog-standard Google Authenticator, but it seems that users wind up phished by that, thus other auth methods used.
spam all nearby iOS devices (Score:2)
Not Just Apple (Score:3)
If I used it for anything but Teams login when I'm doing job interviews I might actually care it's happening.
Re: (Score:2)
what's the point
It's cheap to initiate recovery, a percentage of people click the wrong button, and the whole process is automated so all you have to do is sit back and collect PII from fools...
Re: (Score:3)
The fact that Apple isn't using a number matching scheme on their MFA prompts is pretty stupid. Especially since they bill themselves as more secure than the alternatives.
Microsoft has been using number matching schemes in their MFA prompts for years AFAIK. In our org, I enforce the version that requires the user to enter the number they are seeing on the screen rather than choosing from a list of 3. It will also show the GPS coords in the form of a map pin on every attempt so the user can see where the aut
Too many modals (Score:1)