Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers

Discussion in ' News Discussion' started by MacRumors, Aug 24, 2018.

  1. MacBH928 macrumors 68040


    May 17, 2008
    I remember a time when I thought storing stuff on my computer/online account was the safest place because no one can get to it.

    I am very happy to lose all those services to get my privacy back and not be exposed. I used the internet without tracking pre-2005 and life was just as good. Many service available does not need tracking including email(ad supported), search engines(keyword ad supported), video-on-demand(paid service), IMs, maps...yes even maps. People used TomTom for GPS and it didn't track them IIRC.

    They only track you because its an extra measure to make more money. Its like you pay a hospital for a surgery, then they sell all patient data to research companies to make statistics to sell for drug companies and insurance companies.
  2. Neo-Tech, Aug 26, 2018
    Last edited: Aug 26, 2018

    Neo-Tech macrumors regular

    Jun 19, 2009
    I'm happy you could do the same with your armchair analysis.
  3. Fixey macrumors regular


    May 16, 2017
    No company is going to have 100% security they are going to be flaws spotted, what really matters is how quickly dose it take a company to address security flaws.

    And how well a company keeps quiet about flaws until they are fully patched, when you look at Microsoft you see it all plastered over the internet they have this and that and going to patch it but you may need another patch for the patch that is the difference.

    Keep shut say nothing don’t confirm just quickly and quietly patch it, and still keep quiet in case they are users who still haven’t updated their OS
  4. jamezr macrumors G5


    Aug 7, 2011
    #79's T-Mobiles fault Apple screwed up on Apple's website and exposed 2 million customer's personal information?
  5. ipponrg macrumors 68000

    Oct 15, 2008
    The internet and technology as usual innovated over time. Once companies started to understand the value of user data and how to leverage internet technologies to grab information about a user, then it became the current ball game we're in.

    All companies do some sort of tracking in a way -- even the ones that claim they don't. For example despite popular claims by people on this forum, Duck Duck Go still sends tracking pixels to help the company understand how users use their search engine. It is a harmless tracking pixel that (they say) has no user information attached to it, but nonetheless it's still information that is being sent over the wire.

    In a way, we kind of put ourselves in this place because of our reliance on the internet.
  6. givemeanapple macrumors Demi-God


    Oct 2, 2016
    I was going to write a joke about this but this is already a joke itself.
    Apple and security is no more.
  7. Mascots, Aug 26, 2018
    Last edited: Aug 26, 2018

    Mascots macrumors 68000


    Sep 5, 2009
    Well, whatever it takes to blame Apple - because Tmo is clearly so great about protecting your information..

    Let me pull this quote directly from the article:

    Hmm - let's see who isn't protecting accounts, let alone validation from brute forces...? No API for authentication should trust the client supplying it to do the validation - another Tmo fail to allow this.

  8. jinnj macrumors regular

    Dec 9, 2011
    This has nothing to do with any of the OSes developed by Apple. This was an Apple web service incident.
  9. DeepIn2U macrumors 603


    May 30, 2002
    Toronto, Ontario, Canada
    This was a LOCAL admin account (SUDO) that was an issue not a web service and thus specific to macOS that you run on your Mac computer.


    I see nothing about an Apple Web Service mentioned in this article (nor the except quoted above). It specifically mentions macOS High Sierra ... an OS not a website, not a web service as you claim.

    Get Info.
  10. ANTAWNM26 macrumors 6502a


    Jun 14, 2009
    better get a pin it is well known your account can be ported easily if you dont have a pin
  11. iapplelove, Aug 26, 2018
    Last edited: Aug 27, 2018

    iapplelove macrumors 601


    Nov 22, 2011
    East Coast USA
    it is a pin, just called a passcode. like the article mentioned its called a pin or a passcode to other companies. all AT&T customers have a 4 digit passcode.

    edit: also AT&T now lets users have up to an 8 digit passcode. mine use to be 4 digits but now its the maximum 8.
  12. Webster's Mac macrumors regular

    Dec 18, 2016
    I like my passwords sweet, not salty.
  13. supercoolmanchu macrumors 6502


    Mar 5, 2012
    Why would anyone use T-mobile?

    If I’m getting reamed for phone service, it’s gunna be by the professionals at AT&T. ;)
  14. inkswamp, Aug 26, 2018
    Last edited: Aug 26, 2018

    inkswamp macrumors 68030


    Jan 26, 2003
    "The page allowed for infinite entry attempts into the PIN field...."

    This is web security 101. Who puts a form online nowadays without some form of captcha or limit on usage? Hell, even Apple's form that allows you to look up Macs by serial number cuts you off after 3 lookups for a period of time. And yet, this is just sitting there waiting to be abused? This was sloppy and inexcusable.
    That's true, but this was really basic. This is something that anyone running a web site backend knows to shield their databases from. How many forms do you encounter nowadays that don't have a captcha or a built-in limit on usage? Almost none. This was an embarrassing oversight for Apple. It was the security equivalent of "hiding" your front door keys under the welcome mat. Apple is a great company but this was just dumb.
  15. Neo-Tech, Aug 26, 2018
    Last edited: Aug 26, 2018

    Neo-Tech macrumors regular

    Jun 19, 2009
    If it was T-Mobile's fault, wouldn't Apple have said so? Why did it also affect AT&T accounts on Asurion? It's quite clear that both Apple and Asurion made a mistake in their implementation, but hey, let's dig up some articles showing how T-Mobile's security is bad so it must be their fault!
  16. vixster1901 macrumors regular


    Apr 25, 2009
    That's why they call it passcode, pass the code please... :p sorry, I couldn't help myself! ;)
  17. fairuz, Aug 26, 2018
    Last edited: Aug 26, 2018

    fairuz macrumors 68020


    Aug 27, 2017
    Silicon Valley
    Shouldn't T-Mobile's API have a rate limit per user? Even if you look past that, does their API documentation say that they don't have a limit and that clients like Apple should do the limiting?
    --- Post Merged, Aug 26, 2018 ---
    T-Mobile was definitely doing something wrong here. No matter what they shouldn't be allowing infinite requests to check a 4-digit numeric PIN. Apple also should not have allowed it, but mainly cause they should know Tmo's security sucks (besides that just for their internal reasons); it's Tmo's job to protect the PIN and not "trust the client" as others said above.
    --- Post Merged, Aug 26, 2018 ---
    Maybe the other carriers did the rate limiting, and they applied the same to all.
    --- Post Merged, Aug 26, 2018 ---
    The person in charge of that Twitter account was also a total jerk. Literally troll-level. Though they're technically separate companies. The US rep responded more kindly but refused to say whether they take the blatant misstep of storing passwords.

    It's a fun read.
  18. 69Mustang macrumors 604


    Jan 7, 2014
    In between a rock and a hard place
    Yeah, you're doing the exact same thing as zacharino. Cursory half-acknowledgement-half-excuse for Apple's involvement and the rest is "hey let's excoriate TMo for an issue where Apple was at fault. Apple accepted responsibility for it's actions and fixed the issue... on it's site, not TMo's. As I said earlier, TMo has issues... plenty of 'em. This issue is Apples.
  19. MacBH928 macrumors 68040


    May 17, 2008
    The problem is not 0 feedback... its how it used:

    1)Sharing: When I give my ISP my address and Credit Card number, I really do not expect it to come up when I go shopping at Costco. I give you, not you and everyone else.

    2)Anonymity: You want general statics like how many people online, how long they stay on the site...fine. Building a specific profile on me, keeping it, never deleting it against my will, and tracking every keystroke I hit, every link I click, every sound captured from the

    3)Collecting what I do not know. For example, I didn't know Gmail reads your emails and serves ads based on that. I thought it geolocation based like how it used to be. I didn't know many services collect data on the device you use. They know if I am logging from a MacBook or an iPhone and which specific version of an iphone-if not an exact serial number.
  20. antonis macrumors 68020


    Jun 10, 2011
    There you go. The linked article mentions a vulnerability that can give access to the Mac's keychain (e.g. the intruder makes your mac his). Happy ?

    TL;DR from the article:
    This vulnerability is now fixed of course. Till the next one.
  21. xWhiplash macrumors 68000

    Oct 21, 2009
    Agreed. This is the first security rule in developing APIs and interacting with Client/Server type of data - never, under any circumstances, rely on client-side validation. T-Mobile is at fault here, not Apple. T-Mobile should NEVER rely on third party validation and security checks.

    This is the biggest security rule in web development when passing data around! I am shocked T-Mobile even allowed this to begin with. NEVER EVER absolutely NEVER rely on client-side validation or security like 5 failed attempts.
    --- Post Merged, Aug 27, 2018 ---
    Apple certainly could implement a three check system, but it is an API integrated with T-Mobile's database. Apple would need to take up database storage to handle this. This is entirely on T-Mobile by not adding the required security on their API. Apple should not be forced to implement security that the API should have in the first place. It would take more resources for Apple to have database tables for keeping record of attempts, especially if you want a lockout for say an hour or 24 hours for one account.
    --- Post Merged, Aug 27, 2018 ---
    You never, EVER absolutely NEVER should expose security risks by trusting third parties to perform your validation and security checks. NEVER. Under any circumstance! You can never trust client side validation.

    The API should be the one performing this check. It should not be depending on Apple for this. What if someone found a way to bypass Apple's site altogether and develop their own malicious site/software that interacted with the API that did NOT perform these checks?

    This is why the API level MUST.....ALWAYS....100% perform validation and security checks. There are no ifs. For proper security, it needs to be on the API level, not on a third party like Apple's website.
    --- Post Merged, Aug 27, 2018 ---
    Along with my previous statements, I will add this. It is not Apple's job to do what an API should be doing in the first place. It would cost Apple significant resources by implementing their own database tables and storage. This is not just a simple thing.
  22. ipponrg macrumors 68000

    Oct 15, 2008
    For a company with that much money, you’re making Apple sound like it’s some sort of startup. Granted I think the party at fault lies in what was agreed upon in their SLA

    No, it won’t cost Apple significant resources. Implementing checks like this is straight forward. You don’t need massive complex database tables, and storage usage is minuscule. Modern datastores can store volatile data that can expire themselves.
  23. xWhiplash macrumors 68000

    Oct 21, 2009
    You need to make sure it is robust enough. Needs to have to potential to support millions of records for the millions of T-Mobile subscribers. And we do not know their environment. I had to create a system and in order for it to connect with everything it did end up being a complex table.

    And yes it will cost significant resources. Not specifically hardware, but time and energy from their team that should be spent elsewhere.
  24. ipponrg macrumors 68000

    Oct 15, 2008
    You don’t need to store millions of records at all. You are over thinking it. At its most pragmatic implementation level, you only have to restrict the number of tries for a given phone number. You can do this via Redis/Mongo/MySQL/etc. Hash their phone number, stored it in a volatile database, and associate a value. This value is the number of attempts. Set an expiration policy on the key. If key is accessed before expire time, increment corresponding value and update expiration. If key is hit > N times, then report error back.

    This is completely disconnected from any API level integration.

    If you think it costs significant resources, you are supporting the well known issue of Apple having internal management problems. For a company like Apple, it would not be an acceptable excuse. Now if you were a startup, you might have a point there.
  25. KxK macrumors newbie

    Aug 27, 2018
    First off, it was T-Mobile Austria. Secondly TMUS =! T-Mobile Austria or Deutsche Telekom.

    Lastly, the phone number port out issue impacted all carriers not just TMUS. However, TMUS quickly moved to implement a pin code to make such changes.

    But, to your point, yes using last four of your social is a garbage practice.

Share This Page