Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Support Allowed Hacker Access to Reporter's iCloud Account

Social engineering is the biggest weakness in online security nowadays. However, a "7 digit alphanumeric" password isn't very secure either. That can be brute forced in a reasonable amount of time.

Additionally, I wouldn't necessarily take a hacker's word as gospel with regard to how he cracked your account. If he brute-forced it, for instance - he might prefer other people with short passwords not be made aware of their shortcomings.
 
7o7munoz7o7 said:
How is this an Apple Flaw or issue? If anyone calls up, can answer the security questions on the account you can gain access. What is apple Supposed to do when you answer the questions, say, "you know, I don't believe that's really you, access denied!!"
The only way this is that advisors fault, is if the security questions weren't answered and he was just resetting passwords for anyone that called that day.
Click to expand...

The allegation is not that they had the answers to the security questions, but that Apple's support staff were exploited through Social Engineering

The attacker asks the support staff questions like:

Oh, I can't remember my security answer. Is it two words or one?

Oh, my favourite food. Is that a fruit?

Oh, my favourite teacher. Is it a man or a woman?

They can do this over multiple calls or on different services.

If you find out the favourite food is a fruit in one call to Apple, then you can tell them it's a fruit the next time you call. That might prompt them to say that it's a red fruit.

This slow drip of information builds up, combining with things that the attacker already has or can guess.
 
Westside guy said:
However, a "7 digit alphanumeric" password isn't very secure either. That can be brute forced in a reasonable amount of time.
Click to expand...

True, but a web login can put in a time lock to make that impossible, after 3 failed attempt you have to wait 10 minutes etc.
 
FNi said:
This terrible story is the reason why nobody should put all their eggs in one basket (read: ecosystem). Be it Apple/Google/Microsoft. You're just asking for trouble.

Also 1 Password/Lastpass/Keypass are amazing. Use them.
Click to expand...

This was social engineering. If someone uses social engineering to get your lastpass login, you are even more screwed.
 
aurichie said:
What will you take on this be if turns out you were wrong, and Apple did give out this kind of access?

I don't think Jim Dalrymple would be posting this if he had any reason to doubt the legitimacy of the story:

http://www.loopinsight.com/2012/08/05/apple-tech-support-helped-hacker-access-honans-account/

Jim's the guy who confirms A LOT of Apple rumors with a simple "Yep".
Click to expand...
And note that he said nothing that is confirming this at all - He is just reporting this just like MR did. And it should be pointed out that nobody is infallible. I trust Jim on a lot of things, but he appears to just be passing this on and assuming it is true.
 
Westside guy said:
Social engineering is the biggest weakness in online security nowadays.

However, a "7 digit alphanumeric" password isn't very secure either. That can be brute forced in a reasonable amount of time.
Click to expand...

As long as he wasn't rocking "password" or "12345" like most people do it was probably easier for them to social engineer Apple rather than trying to brute force the password.

And while this is a huge failure for Apple the entire password and security question model does not work. It works great if we're computers and can remember that stuff but we're not. This leaves open room for social engineering.
 
atMac said:
Because it was being posted on 4chan as it went down. I was watching the thread on it yesterday in /g/. A 4channer did it, He was angry because for being a computer writer he seemed to have no idea how computers or any other technology work.
Click to expand...

And did this guy say he contacted Apple Support to bust in. Because if he didn't admit to that bit, how do we know he did rather than Honan just having a ****** security question on the reset webpage
 
aurichie said:
He's a former Gizmodo contributor.

The story said his iOS devices and MacBook got remote wiped.

And is it possible to do a local backup of an iOS device when you have the remote iCloud backup enabled? As far as I know, once you enable cloud backups iTunes no longer allows you to backup to the computer. Another stupid implementation by Apple.
Click to expand...

Daveoc64 said:
Indeed that's how it works, and yes, it's really stupid.
Click to expand...

No, that's not how it works. The way it works is you choose whether the automatic backup is made to the cloud or to the computer. But if you choose iCloud, there is nothing stopping you from right clicking on the device in iTunes and choose the option "Back up"...
 
NAG said:
Sorry but someone did it to my account with just a serial number. AppleIDs have never been secure and apparently still aren't.
Click to expand...

How did they get your SN ?

Didn't Apple ask for some personal information also ? That's how I have my ID set up. I can't just give them a SN. They have to ask for my SSN,phone number,address and other info.

And besides. I'd like to see some proof of this besides a guys word.
 
aurichie said:
If you listen to his podcast, he often says he refuses to post stories he has reason to believe might be untrue.
Click to expand...

I know that. But that still doesn't mean that any of this is confirmed. He can still be wrong even if he believes it. He didn't say anything that ranks with a "yep" as far as I am concerned.
 
Peace said:
How did they get your SN ?

Didn't Apple ask for some personal information also ? That's how I have my ID set up. I can't just give them a SN. They have to ask for my SSN,phone number,address and other info.

And besides. I'd like to see some proof of this besides a guys word.
Click to expand...

And witness classic blame the victim mentality because it doesn't fit with your world view that Apple could have seriously screwed up with AppleIDs.

I love Apple but I am under no delusion that AppleIDs are at all or have ever been secure.

My previous posts have outlined pretty much exactly what happened.

Regarding all your accusatory questions, why should a device serial number and only a device serial number be able to let someone completely change all your info? Just the other day I walked into an Apple Store to get an iMac serviced and the iMac's serial number was registered to some random person I never heard of before. I bought this iMac new and registered it the same day. So their serial number system is obviously flawed.

I'm sorry, but your faith in Apple with respect to account security is severely misplaced.
 
Westside guy said:
Social engineering is the biggest weakness in online security nowadays. However, a "7 digit alphanumeric" password isn't very secure either. That can be brute forced in a reasonable amount of time.

Additionally, I wouldn't necessarily take a hacker's word as gospel with regard to how he cracked your account. If he brute-forced it, for instance - he might prefer other people with short passwords not be made aware of their shortcomings.
Click to expand...

It would have 78,364,164,096 possible combination. Lets assume you can do 10 of them a second as you have to deal with lag time of both sending and receiving. It would take you over 264 YEARS to chew threw all of them.

So after a little over a 130 years you have a 50/50 shot of getting the pass word right.

While if I could do a brute force attack locally on a computer yeah that is easy to do. But if you account for ping times it is another story. On top of that generally speaking any security system worth its salt is going to see a very large number of incorrect tries in a very short time span and lock down the account and at the very least slow down the response time greatly if not added in other protections as well.
 
hafr said:
Wait, do you think I have a backup on each of the locations I mentioned earlier? I haven't, it was just examples of places one could keep them. And it's not like I go pick it up, backup my computer, then return to put it back. That's just silly and very ineffective. Why would you even think such a thing?
Click to expand...

I'm not going to go assume much past this thread but I take 'several' as meaning at least seven.

This is not what real people will do. Why do you think iCloud even exists? I don't care what password you have, This is a mistake by Apple. Give me brute-force access and I will get your password too.

The worst part is that Honan had an all numeric password which made it easy. It's like he was an adult from the 90s who didn't understand the consequences.
 
NAG said:
And witness classic blame the victim mentality because it doesn't fit with your world view that Apple could have seriously screwed up with AppleIDs.

I love Apple but I am under no delusion that AppleIDs are at all or have ever been secure.

My previous posts have outlined pretty much exactly what happened.

Regarding all your accusatory questions, why should a device serial number and only a device serial number be able to let someone completely change all your info? Just the other day I walked into an Apple Store to get an iMac serviced and the iMac's serial number was registered to some random person I never heard of before. I bought this iMac new and registered it the same day. So their serial number system is obviously flawed.

I'm sorry, but your faith in Apple with respect to account security is severely misplaced.
Click to expand...

Relax NAG. when I said I wanted to see proof I was referring to the blogger not you.

Perhaps your experience is different than mine. I've always been asked for personal info.
 
ganymedes13 said:
I'm not going to go assume much past this thread but I take 'several' as meaning at least seven.

This is not what real people will do. Why do you think iCloud even exists? I don't care what password you have, This is a mistake by Apple. Give me brute-force access and I will get your password too.

The worst part is that Honan had an all numeric password which made it easy. It's like he was an adult from the 90s who didn't understand the consequences.
Click to expand...

I'm pretty sure he had an alpha numeric and not an all numeric password.
 
I recently received an iTunes receipt for movies I had not watched. What chafes my arse is iTunes support is only online/email based. As a former corp. employee I called AppeCare and they immediately took care of it (yes, I played that card), saving me having to wait in a chatline to type out the issue, which takes much longer to communicate.

While I praised the service reps I dealt with, Apple has piss-poor iTunes account support. Since many use their iCloud for almost everything, this is a serious issue. In fact, I read comments on MacRumors that iCloud backups aren't even encrypted?!

(I keep backups locally via iTunes and iCloud, and use 1Password - a great app already mentioned)
 
Tech guy?

Sensa said:
So, let's get this straight...a hacker "decides" to hack the account of a semi-high profile tech guy and then after committing several serious crimes like fraud that could land him in jail for an extended period of time repeatedly contacts the person he hacked when he must know that Apple will surely pursue this matter?

I smell a rat...
Click to expand...

I agree! Makes me wonder how one becomes a 'high profile tech guy' in the first place... I'm not a tech guy, and I'm certainly not high profile...yet, I can't think of a single document, photo, movie, tv show, music, etc etc, that I couldn't recover via iCloud, Time Machine, or my local RAID 1 drive if ALL my devices were wiped at the same time... yea, something smells fishy...
 
Peace said:
Relax NAG. when I said I wanted to see proof I was referring to the blogger not you.

Perhaps your experience is different than mine. I've always been asked for personal info.
Click to expand...

I have too and they didn't believe me. It took me two years of on an off trying to get the account fully fixed because they wouldn't believe me or something.

It only takes one idiot Apple Support person to screw up your AppleID and the idiot that did it to mine only required a serial number (I know because it was done by someone completely by accident and they weren't out to screw me like what happened with the blogger).

And as far as your post, sorry but you quoted me and not the blogger. So it kind of looked like you were impugning me.
 
Can someone explain to me what is meant by "social engineering?" Did the hacker guess the person's security question or something?
 
Tinyluph said:
Can someone explain to me what is meant by "social engineering?" Did the hacker guess the person's security question or something?
Click to expand...

I don't think we know at this time. Usually when someone social engineers they act like a complete idiot and ask for sympathy from the employee in some way.

Essentially, you trick the person on the other end into doing things for you that they should not be doing for you.
 
Rodimus Prime said:
It would have 78,364,164,096 possible combination. Lets assume you can do 10 of them a second as you have to deal with lag time of both sending and receiving. It would take you over 264 YEARS to chew threw all of them.

So after a little over a 130 years you have a 50/50 shot of getting the pass word right.
Click to expand...

If a completely random password is used, which I bet is almost never the case.
 
subsonix said:
True, but a web login can put in a time lock to make that impossible, after 3 failed attempt you have to wait 10 minutes etc.
Click to expand...

The trouble is that iCloud uses so many services that all use the one password. They all use different protocols that have their own weaknesses and known exploits.
The web GUI may lock you out after 3 failed attempts, what about the iCloud syncing protocol, iMessage, iTunes purchasing, IMAP…
 
I wonder if this was in the UK? If it was then you would be entitled to report the offence to the telecoms ombudsmen and the police and it would be Apple as much as the hacker that they would investigate and prosecute. This would be deemed a major breach of the DPA act.
The agent on the phone AND the employer can each be fined heavily and prosecuted if the DPA breach is bad enough.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back