This is a bit worrying, I have got so used to just putting my password in I hardly think about it. I notice sometimes it will seem to ask a lot over a few weeks then calm down.
Am I correct in thinking that for this to work in iOS or MacOS one would need to install an app containing this code? Or could they get it into your iphone/Mac without you downloading an app?
On both my MacBook and iPhone I only really have a few apps all from big legit companies so I hope I am safe but it does make me concerned - the other week I had a strange experience where when I opened settings for iCloud to turn keychain on and off to get it to remember some new wifi passwords, the box asking for my password popped up, i entered it and then it popped up immediately again asking for it then it seemed to work fine.
Has there actually been any example of this trick really being used? Or is it just theoretical? Maybe a good time for us to change passwords...
This is a good idea however it doesn't get to the root of the problem of who is prompting the fraudulent pop up to begin with?Always enter an incorrect password first. If it doesn't complain you entered the wrong password, you know it is a phishing thingie.
[doublepost=1507678273][/doublepost]This is a good idea however it doesn't get to the root of the problem of who is prompting the fraudulent pop up to begin with?
Good to know. I usually just put in my password just to get rid of that annoying pop up. Apple definitely needs to work on this. It usually asks me when I’m on an app like Music, App Store, etc. It shouldn’t have to ask me to re-enter my password unless I purposely signed out (Signout all devices option when changing password, etc.) or try to purchase an app.
... and then paste your 1password password into said pop up. So it would work, just 3 seconds later.
Right but I think it prompts this when apples servers are done because I've had this too like many here it use to last for a couple days and then it stops.Good to know. I usually just put in my password just to get rid of that annoying pop up. Apple definitely needs to work on this. It usually asks me when I’m on an app like Music, App Store, etc. It shouldn’t have to ask me to re-enter my password unless I purposely signed out (Signout all devices option when changing password, etc.) or try to purchase an app.
Right. This is the problem with iOS at heart - that really needs to be fixed by Apple (only Apple can fix). Apple - because of way to drastic privacy policy ideology - conditioned its users to *CONSTANTLY* type in their Apple ID password over and over and over and over again!
Because Apple *still* doesn't have a desperately needed identity management system (SSO). So everyone is forced to manage on their own, and repeatedly typing in the password to the point it becomes second nature.
Google has one, Facebook has the most successful system, Amazon does to. Apple, we NEED an identity management system! We need a universal login system on iOS now!
Right but I think it prompts this when apples servers are done because I've had this too like many here it use to last for a couple days and then it stops.
On Windows, you can't use Alt+Tab during UAC elevation. So it's very easy. If Alt+Tab works, it's a scam. If Alt+Tab doesn't work, it's the real Windows dialog.The Windows security dialogs don't require control-alt-delete, which I think I understand is a sacred system-only input. They seem to have the same problem. They just have complicated full-screen animations and stuff that I'm guessing are to make it harder to spoof just from a practical standpoint.
I don't know much about this side of technology but I am curious how do facebook, amazon and google do it? Now you write it, it occurs to me that yes I very rarely have had to re-enter passwords for any of those 3 (I'm guessing by google you mean google gmail etc? Or do you mean Android has a better way?)
It's easy to fix in iOS since apps are sandboxed, so they could lock some part of the screen, but I know apps can access the entire screen currently. Dunno how it could be fixed in macOS for unsandboxed apps.
It's not that easy to fix on iOS, because games can draw to 100% of the screen, and they can do just about anything. Apple could try to use something like a red keyboard, but app developers could easily create a fake keyboard that looks like anything.
It's going to be easier with the iPhone X, because it has that bottom "swipe up" area where app developers absolutely cannot draw pixels, no matter what.
There are a few thing that developers cannot fake. For example, the swipe up for control center and swipe down for notification center cannot be disabled by developers. Apple could make their password dialog so that they disable swipes. Then we could test the authenticity by swiping. If swiping brings up the control center, it's a fake dialog. But who's going to do this every time Apple is asking for a password? How many of us are so knowledgeable, and how many of us are going to remember to check the swipe or the volume button, or something like that.
Here's what Apple could do. The authentic message box could say this: Sign-In Required. Please press the home button, then enter your password.
If someone wanted to fake this behavior, pressing the home button would simply quit their app. When Apple is doing it, they have enough control to program this special behavior, which is impossible to fake by mundane developers. On the iPhone X, use a swipe up, which does the same as the home button.
If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple."
Correct. Virtually every platform company - including microsoft - actually has an identity [login] management system
Apple doesn't
Hence why they run into sporadic serious security vulnerabilities such as this - which are actually very amateur....
Apple developer ID system, randomly displaying the wrong account information. iTunes, Apple Developer Connect, iTunes Connect, Apple ID.... all have DIFFERENT login systems with the worst security.
Apple is the only company that doesn't have an identity management system. It's downright criminally negligent because they have so many amateur security issues that makes all of us LESS safe
If you throw up a CALayer over your app you can pretty much draw anything you want in it (make it look like anything), and make it touch enabled.Not so clever. Old trick from the 90s. The old solution that still works: Give security-related system popups some obvious indication of legitimacy that can't be spoofed, like something in the bezel.
Hard part is sandboxing apps so they can't spoof it. TouchID in iOS is one good solution.