Apple & Amazon security flaws allowed hackers to access a journalist’s iCloud account
Mat Honan, the Wired journalist whose iPhone, iPad and MacBook Air were remotely wiped by hackers using iCloud’s Find My Device feature, has now detailed the security flaws that allowed the attackers to trick a member of Apple’s Tech Support into giving them access to his iCloud account.
Honan has discovered that Apple Tech Support only requires a customer’s billing address and the last four digits of their credit card to issue a temporary iCloud password. Once the hackers had obtained those two pieces of information they simply called Apple and pretended to be him.
As in previous adverts, this latest one showcases a number of Apple’s own apps, but unusually, it also includes a third-party accessory – the Square card reader.
Responding to Honan’s findings, an Apple spokesperson told Wired:
Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.
Getting hold of somebody’s billing address is fairly easy to do. In Honan’s case the hackers did a WHOIS search on his domain name, but they could have also used one of the many ‘people finding’ services, such as WhitePages or PeopleSmart.
Obtaining the last four digits of a users credit card is slightly harder. The hackers used a loophole in Amazon’s security which involved registering a bogus credit card number with the company. That fake number was then used to bypass security checks and gain access to Honan’s account – exposing the required four digits.
Honan’s experience obviously raises a number of issues, including apparent flaws in both Amazon’s and Apple’s security processes, and the danger of using the same email address for key services such as iCloud and Gmail – ultimately that led to the real damage being done.
Although Honan was initially targeted for his three-character Twitter handle, that eventually led the hackers to his iCloud details, from which they wiped his MacBook Air containing over a year’s worth of data.
The hack also raises the question of whether or not Find My Mac should be enabled. Compared to an iPhone or iPad, a Mac is less likely to be lost or stolen. Due to the way that Apple has implemented the feature, if a third-party decides to wipe your system, there is no way of reversing it.
Update: Apple has now suspended over-the-phone iCloud password resets, and Amazon has stopped accepting changes to account settings over the phone.