Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers
- Thread starter MacRumors
- Start date
- Sort by reaction score
My wife keeps saying the same thing.
Albeit, it can still be lost or stolen. And secure backups are a pain. ;-)
I don't want to be *THAT* guy but... do you really think Apple ensured other providers were protected from brute forcing while just simply forgetting Tmo?
As someone privy to systems like this, it does look like this falls on Tmo. Apple most likely plugs into a secure system, hosted by Tmo, in order to authenticate user pins. This hook into to tmos system is what was not being protected properly. It should be the system that is verifying these credentials that should be preventing the brute force, not the external tools that vendors use to access that system.
This has the benefit of ensuring that no matter how they attempt to authenticate and through whichever provider, service, or tool, the brute force blocks will be consistent. It also means that if someone discovers how to call the hook directly, they can't circumvent Apple's tool to hit it repeatedly with some custom brute force script more efficiently (or after Apple prevents it after patching their UI).
It's either Tmo has allowed Apple unfettered access to some of their most secure data without any sort of oversight or Tmos own tool for verification was failing to check against brute forces while doing the authentication... in my mind either way it was Tmos failure.
"Apple most likely plugs into", if you have evidence of this then sure, otherwise it's a load of made up rubbish.
Your last paragraph is also, again, completely baseless without any evidence. Currently all evidence points to Apple at fault, and until proven otherwise, they hold full responsibility for this problem.
Last edited:
I have no evidence other than working in that industry to know to ask the question: how else is Apple verifying pins? I'm not trying to convince you, but it's worth throwing into the ether.
Apple either has unfettered access to Tmos secure pins or Tmo is not protecting their APIs that verify them.
All situations available says it's Tmos failure to protect their/user data, while only the former scenario places some additional fault on Apple here.
Last edited:
This particular issue is fairly basic stuff, not some complicated hack. A few years ago, Apple had the same issue with people’s iCloud accounts, and hackers used it to get nude celebrity pictures. Really, limiting password entries is just so obvious that I have trouble imagining how it got through to the production server.
Apple has very good security for things such as the iPhone’s Secure Enclave that are primarily security focused. However, other departments tarnish Apple’s reputation by letting too many simple security bugs get through.
Last edited:
Apple devices have the best security above all brands. This is a fact and has been confirmed by many cyber security experts in many fraud and cyber security related conferences.
[doublepost=1535207392][/doublepost]
I assume the attacker has tried other carriers as well to do this and found the weakest one was T-Mobile. Fortunate for me and others who stay away from T-Mobile.
A security flaw in Apple's online store exposed the account PINs of more than 72 million T-Mobile customers, reports BuzzFeed News.
The vulnerability was discovered by security researchers Phobia and Nicholas "Convict" Ceraolo, who also found a similar flaw in the website for phone insurance company Asurion that exposed AT&T account PINs.
Both Apple and Asurion fixed the website flaws that left the PINs vulnerable after learning about them from BuzzFeed News. Apple opted not to provide further comment on the situation, but told BuzzFeed News that it is "very grateful to the researchers who found the flaw."
PINs, or passcodes, are numbers that are used as an additional account security measure by many carriers in the United States. Mobile device PINs are typically a last line of defense for a cellular account as both carrier websites and support staff will ask for the PIN for confirmation before making account changes.
The page on Apple's site that let hackers brute force PINs, via BuzzFeed News
SIM hacking, which uses social engineering to get carrier support staff to transfer a person's phone number to a new SIM, has become increasingly prevalent due to the number of accounts (bank, email, social media, etc.) that are tied to a person's phone number. A PIN is used as a defense mechanism against SIM hacking, which means exposed PINs can be particularly dangerous.
Accessing the T-Mobile PINs on Apple's website involved a brute force attack where a hacker used software to input multiple different numeric combinations to guess the proper one.
As BuzzFeed News explains, after initiating a T-Mobile iPhone purchase on the Apple online store and selecting monthly payment options through T-Mobile, Apple's site directs users to an authentication form asking for a T-Mobile number and account PIN or last four digits of a social security number (which most carriers use in place of a PIN when one has not been set).
The page allowed for infinite entry attempts into the PIN field, enabling the brute force attack that let hackers guess PINs associated with a T-Mobile phone number.
The security vulnerability appears to have been limited to T-Mobile accounts, as the same validation page for other carriers on Apple's site uses a rate limit that locks access to the form for 60 minutes after five to 10 incorrect entries. Given that the other carrier pages had rate limiting enabled, it's likely Apple made an error on the T-Mobile page.A similar vulnerability on Asurion's website exposed an unspecified number of AT&T account PINs. An AT&T spokesperson said that it is working with Asurion to investigate the issue and will "take any additional action that may be appropriate."
A phone number was required for both of these attacks, limiting the number of people who may have been impacted, but AT&T and T-Mobile customers who are concerned about their account safety should choose a new PIN.
Article Link: Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers
TM should have rate limiting on their APIs, that is the first step in setting up public APIs.
[doublepost=1535209033][/doublepost]
If it was Apple's fault, all carriers would be affected. Where I work we create a lot of APIs, some public, the first step was to pick a system to manage API keys and access to all APIs. You can't let someone have free unlimited access to your routes.
Last edited:
You are preaching to the choir. There will always be few of those who will speak nonsense, no matter what.
I do take issue with the wording of the Buzzfeed article; it appears that this was a vulnerability that potentially exposed the customer account PINs. Whether some entity actually took the time to brute force all 72 million account PINs is unknown, but unlikely. However, this is still very serious, for the simple fact that this kind of vulnerability allows for targeted phone account takeover. Why is that important? Because some web sites and services are lazy and use SMS two factor authentication (I’m looking at you, Paypal!). So this, together with the password breach databases, open a crack for an evil entity to target a high value individual and take over... their email account... a bank account... an open source software repository... <fill in the blank>.
As an example, recently in the news there was a breach reported concerning some people in the Reddit organization. If memory serves me this was accomplished via SMS phone account takeover (with of course some password use, unknown how they got that).
As an example, recently in the news there was a breach reported concerning some people in the Reddit organization. If memory serves me this was accomplished via SMS phone account takeover (with of course some password use, unknown how they got that).
Depending on the underlining integration points and the contract agreement between Apple/Tmobile, it could be both at fault.
Since the page was hosting by Apple, they are responsible for the portal side. Tmobile is obviously responsible for their side thereafter. In my opinion, I think both should have exercised caution for this unless the contract agreement stated who was responsibility for what.
You are right in that for any Auth/AuthZ flow, you're going to not only rate limit but also have some type of block if an attack is detected. However, what amuses me about this is if Apple was keen on security including their public facing service layers, they should've had this in place.
My guess is that the Tmos servers were supposed to be rate limiting and sending that error code back to the Apple's client to display (the messages are pretty raw), which is why brute force protection was inconsistent among carriers.
But either way, a form like this should be rate limited for any purpose, I agree.
I wonder if other services that can affect accounts around Tmo are vulnerable or if it is/was Apple specific.
I prefer
products over the competition, but just going by what people say on these forums, yes that cannot be more true.Apple defense league: "Engage deflection mode, DO IT NOW!"
Like you wouldn't be one of the very first in line to chastise any non-Apple firm, should it of happened to them instead.
If you remember a time when Apple software didn’t have security issues, you must be remembering a time when Apple didn’t make computer . As long as there is software, there has always been exploits. It’s just seems more common these days since Apple is a higher profile company. Hackers are incentivized to do this because Apple offer generous rewards to white hats and customer info is more valuable for black hats. In this case, researchers found the exploits and Apple patched it and the researchers probably got their reward money.
I'm happy that you could contribute to the discussion with such fantastic input; I'm not the only one here with the same thought.
Are you referring to the fact that Apple devices are usually the first ones to be pwned at various pwn contests (like this one)?
Nobody claimed Apple is flawless. However, OSX users are less prone to attacks. Come at us when people start uploading ransomware on to Macs or iPhones on a large scale.
No. Not if you call support.
[doublepost=1535250135][/doublepost]
You have to have a PIN to verify your account when you call support.
[doublepost=1535250711][/doublepost]
Log in to your account, go to settings, and you will see the PIN/Passcode section where you can change your PIN. Customer service asks you for PIN to verify your account. No one asks for your password when you call in. The Password is only for accessing your account online. The PIN is for authorizing Customer Service reps to access your account.
Do not confuse the privacy protection with the security in general. Apple might have always been very willing to not abuse user data like others do (and still is, leveraging the tracking protection in safari, ban suspicious apps from App Store etc) but they were never the best in security deep technical matters like the one mentioned in this article.
They already have a number of big security flaws in their history, for both iOS and macOS.
