Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers

[MacBH928]

Trouble is we have all these fancy online services now like finding your nearest whatever. So you need to be tracked, the majority of them are offered for free so are paired for by advertising, and so you need to be tracked so you have targeted advertising.

If your happy to lose a lot if not all of these services then we can go back to analogue days.
It’s funny we live in a world now where a paper and pen is more secure because it can’t be hacked.

I remember a time when I thought storing stuff on my computer/online account was the safest place because no one can get to it.

I am very happy to lose all those services to get my privacy back and not be exposed. I used the internet without tracking pre-2005 and life was just as good. Many service available does not need tracking including email(ad supported), search engines(keyword ad supported), video-on-demand(paid service), IMs, maps...yes even maps. People used TomTom for GPS and it didn't track them IIRC.

They only track you because its an extra measure to make more money. Its like you pay a hospital for a surgery, then they sell all patient data to research companies to make statistics to sell for drug companies and insurance companies.

 

[Neo-Tech]

I'm happy that you could contribute to the discussion with such fantastic input; I'm not the only one here with the same thought.

I'm happy you could do the same with your armchair analysis.

 

[Fixey]

No company is going to have 100% security they are going to be flaws spotted, what really matters is how quickly dose it take a company to address security flaws.

And how well a company keeps quiet about flaws until they are fully patched, when you look at Microsoft you see it all plastered over the internet they have this and that and going to patch it but you may need another patch for the patch that is the difference.

Keep shut say nothing don’t confirm just quickly and quietly patch it, and still keep quiet in case they are users who still haven’t updated their OS

 

[jamezr]

Security issue after security issue for T-Mobile and many carriers in general. Remember when T-Mo Germany said they don't need to salt their passwords because their security is "that good"? Or when it was discovered that it's very easy to get access to a T-Mo account AND clone people's sims because T-Mo doesn't have very good security practices beyond asking for the last 4 of your SSN? I've heard stories of people phoning up carriers under the guise of being a store employee and they get access to all sorts of information without thorough identity verification!

I know Apple are the guys that purportedly screwed up here but when you look at T-Mobile's security in general, it doesn't have a very good track record, it should have never been possible for the Tmo verification API to allow unlimited requests without a time limit. These carriers need to seriously update their security practices. Just accepting the last 4 digits of your social security number is no longer a viable option.

Soooo....it's T-Mobiles fault Apple screwed up on Apple's website and exposed 2 million customer's personal information?

 

[ipponrg]

I remember a time when I thought storing stuff on my computer/online account was the safest place because no one can get to it.

I am very happy to lose all those services to get my privacy back and not be exposed. I used the internet without tracking pre-2005 and life was just as good. Many service available does not need tracking including email(ad supported), search engines(keyword ad supported), video-on-demand(paid service), IMs, maps...yes even maps. People used TomTom for GPS and it didn't track them IIRC.

They only track you because its an extra measure to make more money. Its like you pay a hospital for a surgery, then they sell all patient data to research companies to make statistics to sell for drug companies and insurance companies.

The internet and technology as usual innovated over time. Once companies started to understand the value of user data and how to leverage internet technologies to grab information about a user, then it became the current ball game we're in.

All companies do some sort of tracking in a way -- even the ones that claim they don't. For example despite popular claims by people on this forum, Duck Duck Go still sends tracking pixels to help the company understand how users use their search engine. It is a harmless tracking pixel that (they say) has no user information attached to it, but nonetheless it's still information that is being sent over the wire.

In a way, we kind of put ourselves in this place because of our reliance on the internet.

 

[1050792]

I was going to write a joke about this but this is already a joke itself.
Apple and security is no more.

 

[Mascots]

I'm happy you could do the same with your armchair analysis.

Well, whatever it takes to blame Apple - because Tmo is clearly so great about protecting your information..

Let me pull this quote directly from the article:

According to Ceraolo, the vulnerability is likely due to an engineering mistake made when connecting T-Mobile's account validation API to Apple's website.

Hmm - let's see who isn't protecting accounts, let alone validation from brute forces...? No API for authentication should trust the client supplying it to do the validation - another Tmo fail to allow this.

¯\_(ツ)_/¯

 

[jinnj]

But but ...



Lol. In my opinion the person, specific team, and definitely te head of OSX should’ve been CANNED for such a blatant pathetic oversight and mistake! The head of OSX’s sole responsibility other than leading the team is to check for significant holes in the OS and then sign off.

Should’ve shaved Federighi’s head bald just before WWDC!

Harsh but would’ve been funny to have 2 baldies in the executive staff lol.

This has nothing to do with any of the OSes developed by Apple. This was an Apple web service incident.

 

[DeepIn2U]

This has nothing to do with any of the OSes developed by Apple. This was an Apple web service incident.

This was a LOCAL admin account (SUDO) that was an issue not a web service and thus specific to macOS that you run on your Mac computer.

Sources:
macos-bug-lets-you-log-in-as-admin-with-no-password-required

https://twitter.com/lemiorhan/statu...ou-log-in-as-admin-with-no-password-required/

In one of Apple's biggest security blunders in years, a bug in macOS High Sierra allows untrusted users to gain unfettered administrative control without any password.

The bypass works by putting the word "root" (without the quotes) in the user name field of a login window, moving the cursor into the password field, and then hitting enter button with the password field empty. With that—after a few tries in some cases—the latest version of Apple's operating system logs the user in with root privileges. Ars reporters were able to replicate the behavior multiple times on three Macs. The flaw isn't present on previous macOS versions.

The password bypass can be exploited in a variety of ways, depending on the way the targeted Mac has been set up. When full-disk encryption is turned off, an untrusted user can turn on a Mac that's fully powered down and log in as root. Exploiting the vulnerability was also not possible when a Mac was turned on and the screen was password protected. Even on Macs that have filevault turned on, the bypass can also be used to make unauthorized changes to the Mac System Preferences (including disabling filevault), or the bypass can be used to log in as root after logging out of an existing account but not turning off the machine. The behavior observed in Ars tests and reported on social media was extremely inconsistent, so results are likely to vary widely.

The upshot of all of this: as long as someone has filevault turned on, their files are most likely safe from this exploit as long as their Mac is turned off before an attacker gets hold of it. Locking a screen with a password also appeared to protect a computer while it's unattended.

I see nothing about an Apple Web Service mentioned in this article (nor the except quoted above). It specifically mentions macOS High Sierra ... an OS not a website, not a web service as you claim.

Get Info.

 

[ANTAWNM26]

Pin for what?

I just have a username and password for AT&T.

Edit/ AT&T calls it a passcode.

better get a pin it is well known your account can be ported easily if you dont have a pin

 

[iapplelove]

better get a pin it is well known your account can be ported easily if you dont have a pin

it is a pin, just called a passcode. like the article mentioned its called a pin or a passcode to other companies. all AT&T customers have a 4 digit passcode.

edit: also AT&T now lets users have up to an 8 digit passcode. mine use to be 4 digits but now its the maximum 8.

 

[Webster's Mac]

Security issue after security issue for T-Mobile and many carriers in general. Remember when T-Mo Germany said they don't need to salt their passwords because their security is "that good"? Or when it was discovered that it's very easy to get access to a T-Mo account AND clone people's sims because T-Mo doesn't have very good security practices beyond asking for the last 4 of your SSN? I've heard stories of people phoning up carriers under the guise of being a store employee and they get access to all sorts of information without thorough identity verification!

I know Apple are the guys that purportedly screwed up here but when you look at T-Mobile's security in general, it doesn't have a very good track record, it should have never been possible for the Tmo verification API to allow unlimited requests without a time limit. These carriers need to seriously update their security practices. Just accepting the last 4 digits of your social security number is no longer a viable option.

I like my passwords sweet, not salty.

 

[supercoolmanchu]

Why would anyone use T-mobile?

If I’m getting reamed for phone service, it’s gunna be by the professionals at AT&T.

 

[inkswamp]

"The page allowed for infinite entry attempts into the PIN field...."

This is web security 101. Who puts a form online nowadays without some form of captcha or limit on usage? Hell, even Apple's form that allows you to look up Macs by serial number cuts you off after 3 lookups for a period of time. And yet, this is just sitting there waiting to be abused? This was sloppy and inexcusable.

No company is going to have 100% security they are going to be flaws spotted, what really matters is how quickly dose it take a company to address security flaws.

That's true, but this was really basic. This is something that anyone running a web site backend knows to shield their databases from. How many forms do you encounter nowadays that don't have a captcha or a built-in limit on usage? Almost none. This was an embarrassing oversight for Apple. It was the security equivalent of "hiding" your front door keys under the welcome mat. Apple is a great company but this was just dumb.

 

[Neo-Tech]

Well, whatever it takes to blame Apple - because Tmo is clearly so great about protecting your information..

Let me pull this quote directly from the article:



Hmm - let's see who isn't protecting accounts, let alone validation from brute forces...? No API for authentication should trust the client supplying it to do the validation - another Tmo fail to allow this.

¯\_(ツ)_/¯

If it was T-Mobile's fault, wouldn't Apple have said so? Why did it also affect AT&T accounts on Asurion? It's quite clear that both Apple and Asurion made a mistake in their implementation, but hey, let's dig up some articles showing how T-Mobile's security is bad so it must be their fault!

 

[vixster1901]

That's why they call it passcode, pass the code please... sorry, I couldn't help myself!

 

[fairuz]

Shouldn't T-Mobile's API have a rate limit per user? Even if you look past that, does their API documentation say that they don't have a limit and that clients like Apple should do the limiting?
[doublepost=1535341350][/doublepost]

Are you really serious? You typed a hundred and sixty+ words and dedicate 10 of those words to the culpable party. Not only that, you try to cast doubt on that culpability with "purportedly". Apple acknowledged the issue, fixed it quickly, and said thanks for bringing it to their attention. That's fairly cut and dried. What you did there... yeah, not a good look. TMo has it's own issues that deserve scrutiny and criticism. They're not to blame on this issue and Apple doesn't need you to deflect the blame for their mistake onto TMo. Apple owned it and fixed it PDQ... without the whataboutism.

T-Mobile was definitely doing something wrong here. No matter what they shouldn't be allowing infinite requests to check a 4-digit numeric PIN. Apple also should not have allowed it, but mainly cause they should know Tmo's security sucks (besides that just for their internal reasons); it's Tmo's job to protect the PIN and not "trust the client" as others said above.
[doublepost=1535341439][/doublepost]

Except they had the right security for the other carriers, but forgot to apply it to T-Mobile.

Maybe the other carriers did the rate limiting, and they applied the same to all.
[doublepost=1535341646][/doublepost]

Security issue after security issue for T-Mobile and many carriers in general. Remember when T-Mo Germany said they don't need to salt their passwords because their security is "that good"?

The person in charge of that Twitter account was also a total jerk. Literally troll-level. Though they're technically separate companies. The US rep responded more kindly but refused to say whether they take the blatant misstep of storing passwords.

Src: https://twitter.com/tmobileat/status/981418339653300224?lang=en
It's a fun read.

 

[69Mustang]

Shouldn't T-Mobile's API have a rate limit per user? Even if you look past that, does their API documentation say that they don't have a limit and that clients like Apple should do the limiting?
[doublepost=1535341350][/doublepost]
T-Mobile was definitely doing something wrong here. No matter what they shouldn't be allowing infinite requests to check a 4-digit numeric PIN. Apple also should not have allowed it, but mainly cause they should know Tmo's security sucks (besides that just for their internal reasons); it's Tmo's job to protect the PIN and not "trust the client" as others said above.

Yeah, you're doing the exact same thing as zacharino. Cursory half-acknowledgement-half-excuse for Apple's involvement and the rest is "hey let's excoriate TMo for an issue where Apple was at fault. Apple accepted responsibility for it's actions and fixed the issue... on it's site, not TMo's. As I said earlier, TMo has issues... plenty of 'em. This issue is Apples.

 

[MacBH928]

The internet and technology as usual innovated over time. Once companies started to understand the value of user data and how to leverage internet technologies to grab information about a user, then it became the current ball game we're in.

All companies do some sort of tracking in a way -- even the ones that claim they don't. For example despite popular claims by people on this forum, Duck Duck Go still sends tracking pixels to help the company understand how users use their search engine. It is a harmless tracking pixel that (they say) has no user information attached to it, but nonetheless it's still information that is being sent over the wire.

In a way, we kind of put ourselves in this place because of our reliance on the internet.

The problem is not 0 feedback... its how it used:

1)Sharing: When I give my ISP my address and Credit Card number, I really do not expect it to come up when I go shopping at Costco. I give you, not you and everyone else.

2)Anonymity: You want general statics like how many people online, how long they stay on the site...fine. Building a specific profile on me, keeping it, never deleting it against my will, and tracking every keystroke I hit, every link I click, every sound captured from the microphone...no.

3)Collecting what I do not know. For example, I didn't know Gmail reads your emails and serves ads based on that. I thought it geolocation based like how it used to be. I didn't know many services collect data on the device you use. They know if I am logging from a MacBook or an iPhone and which specific version of an iphone-if not an exact serial number.

 

[antonis]

Nobody claimed Apple is flawless. However, OSX users are less prone to attacks. Come at us when people start uploading ransomware on to Macs or iPhones on a large scale.

There you go. The linked article mentions a vulnerability that can give access to the Mac's keychain (e.g. the intruder makes your mac his). Happy ?

TL;DR from the article:

After creating a proof-of-concept attack that could interact and dismiss the keychain's access prompt and dump a user's unencrypted passwords and private keys, he reported the issue to Apple, which released a supplemental update to patch it as CVE-2017-7150. Now "mouse keys" are ignored by security alerts, and keychain access always requires a user's password.

This vulnerability is now fixed of course. Till the next one.

 

[Ethosik]

Hmm - let's see who isn't protecting accounts, let alone validation from brute forces...? No API for authentication should trust the client supplying it to do the validation - another Tmo fail to allow this.

¯\_(ツ)_/¯

Agreed. This is the first security rule in developing APIs and interacting with Client/Server type of data - never, under any circumstances, rely on client-side validation. T-Mobile is at fault here, not Apple. T-Mobile should NEVER rely on third party validation and security checks.

This is the biggest security rule in web development when passing data around! I am shocked T-Mobile even allowed this to begin with. NEVER EVER absolutely NEVER rely on client-side validation or security like 5 failed attempts.
[doublepost=1535372881][/doublepost]

"The page allowed for infinite entry attempts into the PIN field...."

This is web security 101. Who puts a form online nowadays without some form of captcha or limit on usage? Hell, even Apple's form that allows you to look up Macs by serial number cuts you off after 3 lookups for a period of time. And yet, this is just sitting there waiting to be abused? This was sloppy and inexcusable.


That's true, but this was really basic. This is something that anyone running a web site backend knows to shield their databases from. How many forms do you encounter nowadays that don't have a captcha or a built-in limit on usage? Almost none. This was an embarrassing oversight for Apple. It was the security equivalent of "hiding" your front door keys under the welcome mat. Apple is a great company but this was just dumb.

Apple certainly could implement a three check system, but it is an API integrated with T-Mobile's database. Apple would need to take up database storage to handle this. This is entirely on T-Mobile by not adding the required security on their API. Apple should not be forced to implement security that the API should have in the first place. It would take more resources for Apple to have database tables for keeping record of attempts, especially if you want a lockout for say an hour or 24 hours for one account.
[doublepost=1535373127][/doublepost]

Shouldn't T-Mobile's API have a rate limit per user? Even if you look past that, does their API documentation say that they don't have a limit and that clients like Apple should do the limiting?

You never, EVER absolutely NEVER should expose security risks by trusting third parties to perform your validation and security checks. NEVER. Under any circumstance! You can never trust client side validation.

The API should be the one performing this check. It should not be depending on Apple for this. What if someone found a way to bypass Apple's site altogether and develop their own malicious site/software that interacted with the API that did NOT perform these checks?

This is why the API level MUST.....ALWAYS....100% perform validation and security checks. There are no ifs. For proper security, it needs to be on the API level, not on a third party like Apple's website.
[doublepost=1535373290][/doublepost]

T-Mobile was definitely doing something wrong here. No matter what they shouldn't be allowing infinite requests to check a 4-digit numeric PIN. Apple also should not have allowed it, but mainly cause they should know Tmo's security sucks (besides that just for their internal reasons); it's Tmo's job to protect the PIN and not "trust the client" as others said above.

Along with my previous statements, I will add this. It is not Apple's job to do what an API should be doing in the first place. It would cost Apple significant resources by implementing their own database tables and storage. This is not just a simple thing.

 

[ipponrg]

Along with my previous statements, I will add this. It is not Apple's job to do what an API should be doing in the first place. It would cost Apple significant resources by implementing their own database tables and storage. This is not just a simple thing.

For a company with that much money, you’re making Apple sound like it’s some sort of startup. Granted I think the party at fault lies in what was agreed upon in their SLA

No, it won’t cost Apple significant resources. Implementing checks like this is straight forward. You don’t need massive complex database tables, and storage usage is minuscule. Modern datastores can store volatile data that can expire themselves.

 

[Ethosik]

For a company with that much money, you’re making Apple sound like it’s some sort of startup. Granted I think the party at fault lies in what was agreed upon in their SLA

No, it won’t cost Apple significant resources. Implementing checks like this is straight forward. You don’t need massive complex database tables, and storage usage is minuscule. Modern datastores can store volatile data that can expire themselves.

You need to make sure it is robust enough. Needs to have to potential to support millions of records for the millions of T-Mobile subscribers. And we do not know their environment. I had to create a system and in order for it to connect with everything it did end up being a complex table.

And yes it will cost significant resources. Not specifically hardware, but time and energy from their team that should be spent elsewhere.

 

[ipponrg]

You need to make sure it is robust enough. Needs to have to potential to support millions of records for the millions of T-Mobile subscribers. And we do not know their environment. I had to create a system and in order for it to connect with everything it did end up being a complex table.

And yes it will cost significant resources. Not specifically hardware, but time and energy from their team that should be spent elsewhere.

You don’t need to store millions of records at all. You are over thinking it. At its most pragmatic implementation level, you only have to restrict the number of tries for a given phone number. You can do this via Redis/Mongo/MySQL/etc. Hash their phone number, stored it in a volatile database, and associate a value. This value is the number of attempts. Set an expiration policy on the key. If key is accessed before expire time, increment corresponding value and update expiration. If key is hit > N times, then report error back.

This is completely disconnected from any API level integration.

If you think it costs significant resources, you are supporting the well known issue of Apple having internal management problems. For a company like Apple, it would not be an acceptable excuse. Now if you were a startup, you might have a point there.

 

[KxK]

Security issue after security issue for T-Mobile and many carriers in general. Remember when T-Mo Germany said they don't need to salt their passwords because their security is "that good"? Or when it was discovered that it's very easy to get access to a T-Mo account AND clone people's sims because T-Mo doesn't have very good security practices beyond asking for the last 4 of your SSN? I've heard stories of people phoning up carriers under the guise of being a store employee and they get access to all sorts of information without thorough identity verification!

First off, it was T-Mobile Austria. Secondly TMUS =! T-Mobile Austria or Deutsche Telekom.

Lastly, the phone number port out issue impacted all carriers not just TMUS. However, TMUS quickly moved to implement a pin code to make such changes.

But, to your point, yes using last four of your social is a garbage practice.