Apple Support Allowed Hacker Access to Reporter's iCloud Account

[Daveoc64]

A funny/alarming side note on the subject: I've changed my password on Twitter, but I haven't had to enter the new password on either OS X Mountain Lion or my iPhone!

I'm not sure how Twitter works, but it's generally considered to be a bad idea to store the password on the device after you login (because someone could then look at the password file).

Instead of doing that, they check the password when you login and then download a token unique to that device and account allowing the App to connect to the service.

Some services handle revoking these tokens differently. With something like Dropbox, you can "Unlink" a device (lost/stolen/selling it/etc.) without changing the password. Other services might do it automatically when you change the password.

 

[i-John]

Major Apple Fail.

I hope the employee who provided this information is no longer with the company.
As an employee of a major company with millions of customers, we take this sort of thing very seriously. We don't care if you "don't remember" your security information. We have many steps to authenticate a customer, so to "forget" them all is not acceptable. If someone can be convinced over the phone to change a password without verifying should not be talking to a customer.

 

[fabianjj]

Even if so, what's it for, if they know your password already - Imagine they've already gained access to your iCLoud account...

Best would be to implement 2 step verification like google has - it works perfectly. Also as some guys mentioned above, PIN for turning off the device would be a huge improvement in security as the device could not be turned off immediately. Also I can imagine some kind of state while the device keeps some battery reserve to be able to respond to iCloud (FindMyiPhone service) and be trackable if the device is turned off and the PIN was not entered.

But all those security measures could be circumvented by simply wrapping the phone in aluminum foil upon theft, right?

There needs to be (or there might be, I don't exactly know all of the security mechanisms in place) a way to track the device after a remote wipe that's not dependent on some stored login information or current sim card. Perhaps a MAC-address or other unique device identifier.

 

[Daveoc64]

That wouldn't be right. They shouldn't lose their job (especially in this economy) just because they were trying to help someone, even if it was a bit of a dumb mistake.

While I generally don't like the "heads must roll" ideology, if someone has ignored security policy and given away access to a customer's personal data and account, that's a pretty serious problem.

 

[NAG]

But all those security measures could be circumvented by simply wrapping the phone in aluminum foil upon theft, right?

There needs to be (or there might be, I don't exactly know all of the security mechanisms in place) a way to track the device after a remote wipe that's not dependent on some stored login information or current sim card. Perhaps a MAC-address or other unique device identifier.

Yup, they can track stolen phones.

http://www.technolog.msnbc.msn.com/technology/technolog/att-block-phones-are-reported-stolen-866736

 

[coolbreeze]

Apple really needs 2-step authentication (Google offers it, and it works really great).

For sure. I use 2-step on my Google account. It's a pain sometimes, but I rest easy knowing my account is air-tight. My life is on my google account so it makes perfect sense to have it ratcheted down and secured.

 

[koban4max]

android and apple is the same=hackable.

 

[mbh]

I find it weird how so many people here seem to think that Gizmodo hates Apple because they leaked a design that made the iPhone 4 one of the most desired devices of all time, before Apple had even revealed it and had discussed any of the features it had.

People are willing to blindly accept that Gizmodo is "anti-Apple", but they never stop to consider that the people telling them that could have an agenda of their own...

I hope you aren't suggesting that Gizmodo's reveal of the iPhone 4 had anything to do with its success.

Was buying illegitimately obtained property, believed to belong to Apple, pro-Apple? Was revealing Apple's trade secrets on the internet pro-Apple? Was damaging an Apple prototype device pro-Apple? Was trying to blackmail Apple into giving Gizmodo more press access before they would return the stolen property pro-Apple?

 

[fullmanfullninj]

Can one of the 2-step advocates explain how you would do 2-step authentication on a phone? With another phone?

Even Google doesn't do 2-step authentication on Android...

Having just signed up for google 2-step authentication, I can share my experience.

You login to a web page with your 2-step authentication and request a password for the phone. You enter this password instead of your regular gmail password. The password is a "one time use" password. Seems like a pretty safe way of doing it.

I think gkpm is asking how one would do two step authentication when logging into something on a phone.

If not, your answer, scarred, would be the proper answer.

If gkpm is indeed asking what I think he is asking, Google has come up with a solution for this. When you set up two-step authentication, Google lets you generate random passwords that are to be used on certain devices. For the Mail app on my iPhone, I entered the randomly generated password and it was accepted.

If I try to log into Gmail on Safari on my iPhone...I'm not entirely too sure actually...I'll get back to you.

 

[iosx]

Maybe the hacker used his SN or a random one posted online. Does Apple really verify if that SN is tied to the account in question?

That can be the fact too.

 

[Daveoc64]

I hope you aren't suggesting that Gizmodo's reveal of the iPhone 4 had anything to do with its success.

Of course not, but it provided a lot of positive buzz on the internet. People were genuinely excited to see the new design as it was so different from the previous ones.

There wasn't much for anyone to not like about it at that point. The major iPhone 4 controversy (the antenna issue) didn't come up until after the device was released.

Was buying illegitimately obtained property, believed to belong to Apple, pro-Apple? Was revealing Apple's trade secrets on the internet pro-Apple? Was damaging an Apple prototype device pro-Apple? Was trying to blackmail Apple into giving Gizmodo more press access before they would return the stolen property pro-Apple?

None of these things were anti-Apple. They may have broken the law and done some pretty underhanded things, but that doesn't mean that they were working to make Apple or Apple's products look bad. They were working to get a good journalistic scoop.

If it had been a Google phone I'm sure they'd have done exactly the same thing.

 

[Peace]

My dad taught me to believe half of what you hear and none of what you read.

No way Apple Support would give someone this kind of access without distinct identifying information.

 

[NAG]

android and apple is the same=hackable.

Stop the presses. Maximum Koban has new insight into the story. His analysis is not lacking in specifics at all.

 

[Daveoc64]

My dad taught me to believe half of what you hear and none of what you read.

No way Apple Support would give someone this kind of access without distinct identifying information.

Why not?

This is one of the most common types of identity theft happening now.

What do you think Apple does that makes them immune to it?

 

[smithrh]

So far, the answer is e) not enough information.

Complicating the picture:

* Gizmodo connection

* Lack of any corroborating evidence as to Mat's supposition that Apple gave his access away (at least at the time I'm writing this)

...and more than a few other things.

Absolutely, Apple could be at fault here. But those other circumstances give me a lot of pause here.

 

[NAG]

My dad taught me to believe half of what you hear and none of what you read.

No way Apple Support would give someone this kind of access without distinct identifying information.

Sorry but someone did it to my account with just a serial number. AppleIDs have never been secure and apparently still aren't.

 

[Stephen123]

No way. You have a hard drive with all your data in your computer. You need a complete physical backup onsite, and another offsite, and maybe one in the cloud. Anything less and you can't cry foul when disaster hits.

The problem is that Apple promotes iCloud as a solution that allows you to use iOS devices without a computer. This appears to demonstrate a flaw in that system as currently implemented.

However I'm skeptical that someone working for Gizmodo was really using iOS without a computer. So this may be a staged test case rather than a real instance.

 

[NAG]

The problem is that Apple promotes iCloud as a solution that allows you to use iOS devices without a computer. This appears to demonstrate a flaw in that system as currently implemented.

However I'm skeptical that someone working for Gizmodo was really using iOS without a computer. So this may be a staged test case rather than a real instance.

FYI: iCloud can remote wipe your OS X and iOS machines.

 

[Daveoc64]

And is it possible to do a local backup of an iOS device when you have the remote iCloud backup enabled? As far as I know, once you enable cloud backups iTunes no longer allows you to backup to the computer. Another stupid implementation by Apple.

Indeed that's how it works, and yes, it's really stupid.

 

[NAG]

He's a former Gizmodo contributor.

The story said his iOS devices and MacBook got remote wiped.

And is it possible to do a local backup of an iOS device when you have the remote iCloud backup enabled? As far as I know, once you enable cloud backups iTunes no longer allows you to backup to the computer. Another stupid implementation by Apple.

If they can restore backups within a certain period of time it would fix issue of someone gaining control of the AppleID and wiping both the device and the backup.

 

[subsonix]

Hm, Gizmodo got hacked a while ago lots of passwords was leaked including staff. Isn't it feasible that it could be the source of this as well.

 

[7o7munoz7o7]

How is this an Apple Flaw or issue? If anyone calls up, can answer the security questions on the account you can gain access. What is apple Supposed to do when you answer the questions, say, "you know, I don't believe that's really you, access denied!!"
The only way this is that advisors fault, is if the security questions weren't answered and he was just resetting passwords for anyone that called that day.

 

[jontech]

Anytime the word "journalist" is used I'm naturally suspicious

Wait till facts come out

 

[dank414]

Who's Mat Honan?

 

[Stephen123]

He's a former Gizmodo contributor.

The story said his iOS devices and MacBook got remote wiped.

And is it possible to do a local backup of an iOS device when you have the remote iCloud backup enabled? As far as I know, once you enable cloud backups iTunes no longer allows you to backup to the computer. Another stupid implementation by Apple.

Ah, yes. This means he enabled Find My Mac; which apparently exposes a Mac to remote wipe.