Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers

Discussion in ' News Discussion' started by MacRumors, Aug 24, 2018.

  1. pat500000 Suspended


    Jun 3, 2015
    Oh Apple, silly rabbit. TRICKS is for kids.
  2. PlayUltimate macrumors regular


    Jul 29, 2016
    Boulder, CO
    My wife keeps saying the same thing.
    Albeit, it can still be lost or stolen. And secure backups are a pain. ;-)
  3. Mascots macrumors 68000


    Sep 5, 2009
    I don't want to be *THAT* guy but... do you really think Apple ensured other providers were protected from brute forcing while just simply forgetting Tmo?

    As someone privy to systems like this, it does look like this falls on Tmo. Apple most likely plugs into a secure system, hosted by Tmo, in order to authenticate user pins. This hook into to tmos system is what was not being protected properly. It should be the system that is verifying these credentials that should be preventing the brute force, not the external tools that vendors use to access that system.

    This has the benefit of ensuring that no matter how they attempt to authenticate and through whichever provider, service, or tool, the brute force blocks will be consistent. It also means that if someone discovers how to call the hook directly, they can't circumvent Apple's tool to hit it repeatedly with some custom brute force script more efficiently (or after Apple prevents it after patching their UI).

    It's either Tmo has allowed Apple unfettered access to some of their most secure data without any sort of oversight or Tmos own tool for verification was failing to check against brute forces while doing the authentication... in my mind either way it was Tmos failure.
  4. Neo-Tech, Aug 25, 2018
    Last edited: Aug 25, 2018

    Neo-Tech macrumors regular

    Jun 19, 2009
    "Apple most likely plugs into", if you have evidence of this then sure, otherwise it's a load of made up rubbish.

    Your last paragraph is also, again, completely baseless without any evidence. Currently all evidence points to Apple at fault, and until proven otherwise, they hold full responsibility for this problem.
  5. Mascots, Aug 25, 2018
    Last edited: Aug 25, 2018

    Mascots macrumors 68000


    Sep 5, 2009
    I have no evidence other than working in that industry to know to ask the question: how else is Apple verifying pins? I'm not trying to convince you, but it's worth throwing into the ether.

    Apple either has unfettered access to Tmos secure pins or Tmo is not protecting their APIs that verify them.

    All situations available says it's Tmos failure to protect their/user data, while only the former scenario places some additional fault on Apple here.
  6. dwsolberg, Aug 25, 2018
    Last edited: Aug 25, 2018

    dwsolberg macrumors 6502a

    Dec 17, 2003
    This particular issue is fairly basic stuff, not some complicated hack. A few years ago, Apple had the same issue with people’s iCloud accounts, and hackers used it to get nude celebrity pictures. Really, limiting password entries is just so obvious that I have trouble imagining how it got through to the production server.

    Apple has very good security for things such as the iPhone’s Secure Enclave that are primarily security focused. However, other departments tarnish Apple’s reputation by letting too many simple security bugs get through.
  7. democracyrules macrumors 6502a

    Nov 18, 2016
    Apple devices have the best security above all brands. This is a fact and has been confirmed by many cyber security experts in many fraud and cyber security related conferences.
    --- Post Merged, Aug 25, 2018 ---
    I assume the attacker has tried other carriers as well to do this and found the weakest one was T-Mobile. Fortunate for me and others who stay away from T-Mobile.
  8. spazzcat, Aug 25, 2018
    Last edited: Aug 25, 2018

    spazzcat macrumors 68030


    Jun 29, 2007
    TM should have rate limiting on their APIs, that is the first step in setting up public APIs.
    --- Post Merged, Aug 25, 2018 ---
    If it was Apple's fault, all carriers would be affected. Where I work we create a lot of APIs, some public, the first step was to pick a system to manage API keys and access to all APIs. You can't let someone have free unlimited access to your routes.
  9. StellarVixen macrumors 68000


    Mar 1, 2018
    You are preaching to the choir. There will always be few of those who will speak nonsense, no matter what.
  10. flaubert macrumors regular


    Jun 16, 2015
    Portland, Oregon
    I do take issue with the wording of the Buzzfeed article; it appears that this was a vulnerability that potentially exposed the customer account PINs. Whether some entity actually took the time to brute force all 72 million account PINs is unknown, but unlikely. However, this is still very serious, for the simple fact that this kind of vulnerability allows for targeted phone account takeover. Why is that important? Because some web sites and services are lazy and use SMS two factor authentication (I’m looking at you, Paypal!). So this, together with the password breach databases, open a crack for an evil entity to target a high value individual and take over... their email account... a bank account... an open source software repository... <fill in the blank>.

    As an example, recently in the news there was a breach reported concerning some people in the Reddit organization. If memory serves me this was accomplished via SMS phone account takeover (with of course some password use, unknown how they got that).
  11. cfurlin macrumors 6502


    Jun 14, 2011
    Can you really call them customers? Victim seems more appropriate.
  12. ipponrg macrumors 68000

    Oct 15, 2008
    Depending on the underlining integration points and the contract agreement between Apple/Tmobile, it could be both at fault.

    Since the page was hosting by Apple, they are responsible for the portal side. Tmobile is obviously responsible for their side thereafter. In my opinion, I think both should have exercised caution for this unless the contract agreement stated who was responsibility for what.

    You are right in that for any Auth/AuthZ flow, you're going to not only rate limit but also have some type of block if an attack is detected. However, what amuses me about this is if Apple was keen on security including their public facing service layers, they should've had this in place.
  13. Mascots macrumors 68000


    Sep 5, 2009
    My guess is that the Tmos servers were supposed to be rate limiting and sending that error code back to the Apple's client to display (the messages are pretty raw), which is why brute force protection was inconsistent among carriers.

    But either way, a form like this should be rate limited for any purpose, I agree.

    I wonder if other services that can affect accounts around Tmo are vulnerable or if it is/was Apple specific.
  14. vladi macrumors 6502

    Jan 30, 2010
    Why do they store PIN numbers at all? I don't get that at all.
  15. rafark macrumors 65816


    Sep 1, 2017
    I prefer :apple: products over the competition, but just going by what people say on these forums, yes that cannot be more true.
  16. WBRacing macrumors 65816

    Nov 19, 2012
    Apple defense league: "Engage deflection mode, DO IT NOW!"

    Like you wouldn't be one of the very first in line to chastise any non-Apple firm, should it of happened to them instead. :rolleyes:
  17. bmot macrumors regular

    Feb 25, 2016
    Considering the size of this ****up it’s quite quiet in here. Is that the scared tacit Apple sheep heard?
  18. Neo-Tech macrumors regular

    Jun 19, 2009
    So basically, fud then. Moving on.
  19. szw-mapple fan macrumors 68000

    szw-mapple fan

    Jul 28, 2012
    If you remember a time when Apple software didn’t have security issues, you must be remembering a time when Apple didn’t make computer . As long as there is software, there has always been exploits. It’s just seems more common these days since Apple is a higher profile company. Hackers are incentivized to do this because Apple offer generous rewards to white hats and customer info is more valuable for black hats. In this case, researchers found the exploits and Apple patched it and the researchers probably got their reward money.
  20. Mascots macrumors 68000


    Sep 5, 2009
    I'm happy that you could contribute to the discussion with such fantastic input; I'm not the only one here with the same thought.
  21. falainber macrumors 65816


    Mar 16, 2016
    Wild West
    Are you referring to the fact that Apple devices are usually the first ones to be pwned at various pwn contests (like this one)?
  22. kappaknight macrumors 68000


    Mar 5, 2009
    Nobody claimed Apple is flawless. However, OSX users are less prone to attacks. Come at us when people start uploading ransomware on to Macs or iPhones on a large scale.
  23. sirozha macrumors 6502a

    Jan 4, 2008
    No. Not if you call support.
    --- Post Merged, Aug 25, 2018 ---
    You have to have a PIN to verify your account when you call support.
    --- Post Merged, Aug 25, 2018 ---
    Log in to your account, go to settings, and you will see the PIN/Passcode section where you can change your PIN. Customer service asks you for PIN to verify your account. No one asks for your password when you call in. The Password is only for accessing your account online. The PIN is for authorizing Customer Service reps to access your account.
  24. antonis macrumors 68020


    Jun 10, 2011
    Do not confuse the privacy protection with the security in general. Apple might have always been very willing to not abuse user data like others do (and still is, leveraging the tracking protection in safari, ban suspicious apps from App Store etc) but they were never the best in security deep technical matters like the one mentioned in this article.

    They already have a number of big security flaws in their history, for both iOS and macOS.
  25. Sevanw Suspended


    Sep 13, 2014
    What a despicable company Apple is. They brag about how secure they are, then their blind followers continue to parrot the same mantra regardless of the facts that say otherwise. It's one security issue after another with these crooks. Disgusting.

Share This Page