Sounds like the only solution there is to buy another Mac. Apple really needs to address this and quickly.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
Here is a video on how to mitigate this exploit till Apple releases a patch to fix it. This obviously can't prevent them from accessing the information on your phone but it prevents them from changing your Apple account password and stealing your entire account. This is not my video but just one I found on YouTube.
Apparently the screen time passcode can be circumvented...
I believe it can. However, there will still be some protection if someone grabs your unlocked phone - without knowing the device passcode or the email address you use with your Apple ID. (My understanding is they’d need either of those to circumvent.)
Apple 🍏: Please fix this!
It can.
The exploit that this whole thread started with was the act of stealing ones' passcode by observing it in a social situation, then stealing the phone itself, so assume they have the passcode, and this workaround video only makes things very slightly harder. I wish they would have mentioned that in the video as it gives false hope.
They definitely need to do something, but so far Apple is treating it as a non-issue -- at least publicly. It bothers me most that you can't recover your account and the data there-in if the password gets changed and your devices get disabled.
So if there is no reference to the email address on the phone (and the mail app turned off in Screen Time) this bypass of Screen Time would not work?
And what about this one? Does it also require knowledge of the email address?
The email is listed in Settings right under the user name.
Hmmm…..
So the email listed in Settings > User ID would have to not be in Passwords, Keychain would need to be off, not added to any app, and somehow blocked in the browser world.
Might have to test that out …. On second thought, not.
It is getting too complicated trying to find a “fix” for Apple’s miss.
Apple really really needs to fix this.
I believe the bypass would not work. And I believe the second requires either the email or PIN passcode.
My email doesn't show there (I am using screen time).
Very true if they have the passcode and I agree the video should have made things clearer. However, if screen time can offer SOME protection in SOME circumstances it seems worthwhile doing for now.
This article says, "Apple users should set their own Apple ID recovery key, which prevents anyone else from doing it." But it looks like the recovery key can be turned off and replaced with another just by using your iPhone's passcode. Am I missing something?
"Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud."
You need your Apple ID password to turn FindMy off, which should not be the same as your phone's passcode. If it is, no sympathy, sorry. And same like using an ATM, when entering your phones passcode, just be sure no one is watching. How hard can that be?
Edit: I just watched one of those videos, it seems your Apple ID password can be changed if the thief knows your phone's passcode. My passcode is even longer now.
You need your Apple ID password to turn FindMy off, which should not be the same as your phone's passcode. If it is, no sympathy, sorry. And same like using an ATM, when entering your phones passcode, just be sure no one is watching. How hard can that be?
Edit: I just watched one of those videos, it seems your Apple ID password can be changed if the thief knows your phone's passcode. My passcode is even longer now.
Last edited:
My Apple ID password is also very long, alphanumeric, something only my wife and I will ever know.....but as I just said, be sure your phones passcode and Apple ID password are not the same. In fact, no 2 passwords that you use anywhere should be the same, digital security 101. But we all know that, right?
I think it was posted earlier in this lengthy discussion that the thief was able to reset the Apple ID password using the phone's passcode. In that case, they will know the Apple ID password because they have chosen it.
I just realised that. No, I haven't read this whole thread. I'm busy with a security audit of my Apple devices right now....not that I'm at risk of being socially targeted.
Looks like those Yubikeys are totally useless at the moment.
Even more a risk than using traditional 2FA with other devices.
I still don’t understand this.
It appears that every time I login to a new device - or even change passwords or go into anything account related - I get popups and notifications just about everywhere.
Even when I call Apple - just got an email after agreeing to authenticate via Apple's internal engine.
I have a 10+ digit passcode due to MDM/corp policy on phone, iPad, and watch. But again - a lot of this seems like an edge case, by somewhat careless users.
It appears that every time I login to a new device - or even change passwords or go into anything account related - I get popups and notifications just about everywhere.
Even when I call Apple - just got an email after agreeing to authenticate via Apple's internal engine.
I have a 10+ digit passcode due to MDM/corp policy on phone, iPad, and watch. But again - a lot of this seems like an edge case, by somewhat careless users.
Last edited:
I also think this is a non-issue, for most Apple users.
I have been using ATM & credit card machines for the better part of 30 years, and to date no one has seen me enter my 4 digit pin, and if they did, they didn’t get their hands on my card. Why should my iPhone, with 6 digits be any different? And what are the odds of anyone guessing the correct passcode in less than 10 attempts? After which we all know what happens. Credit cards/ATMs are usually blocked after just 3 attempts.
Last edited:
You're not always in an alcove made for privacy and the iPhone has this nasty habit of asking for the passcode at the most inopportune times. So they watch you put in the code and they own you.
The difference is that there’s a lot less damage (depending on the owner) someone could do with an ATM card and PIN than with a trusted device iPhone and a passcode.
If it's an inopportune time, it can wait 3 seconds for me to turn around or hide the key pad. I don't need access to my phone 24/7/365.
I was born before cell phones were invented, so I think I know when is or is not an appropriate time to use them. Like I said, no one has seen me put any code into any machine to date. I'm not about to let that happen.
Last edited:
It's not about what they can or can't do if they see me putting in my ATM pin or iPhone passcode, it's about the principle of simply not letting others see me input codes into any machine, period.
Not realistic.
To expect someone to 100% cover and conceal pin input on their device 24/7/365 is not a real option.
Trying to do it often as possible will reduce your risk though. Just won't eliminate it.
Can you hide it from all the cameras around, some that you might not even be able to see? Can you hide it in a busy bar or store? I don't think you can, and that's how this thread started, describing how someone lifted a passcode, and then phone...
That actually isn't the worst problem -- the crux of the main problem is if you have someone's passcode, you have everything, and can lock them out of their accounts and data, and even steal their money. There is no way for you to get your icloud account back, or device for that matter, and the bad guys can lock all your devices...
I don't think that makes any difference, but I too was born WAY before cell phones.