"Hacking" iCloud even with 2 step enabled?

Discussion in 'Apple Music, Apple Pay, iCloud, Apple Services' started by Primejimbo, Dec 19, 2014.

  1. Primejimbo macrumors 68040

    Joined:
    Aug 10, 2008
    Location:
    Around
    #1
    Anyone else read this?
    http://www.engadget.com/2014/12/18/elcomsoft-phone-breaker-icloud-two-step/

     
  2. Ritsuka macrumors 6502a

    Joined:
    Sep 3, 2006
    #2
    So what? Obviously if you have the appleid/password and a valid two-factor you can login, it's exactly what you use to log in iCloud. That means having access to a device where the two-factor code is sent.

    A digital token is exactly what you use to stay logged in without re-entering the two-factor code each time. Obviously if you have it you can log-in too…

    So there isn't anything new in Engadget article. It's just a third-party app you can use to access a iCloud account if you have the account credentials.
     
  3. Primejimbo thread starter macrumors 68040

    Joined:
    Aug 10, 2008
    Location:
    Around
    #3
    I'm sorry, but I don't understand this... So if I go on iCloud.com, put in my info, get the 4 digit code from my phone, this is how they are getting this info? Is this only an issue if I select "i log on the computer frequently"? (or something close)
     
  4. Ritsuka macrumors 6502a

    Joined:
    Sep 3, 2006
    #4
    Nobody is getting any info at all, there is no issue here.

    The engadget article talks about a program to download data from iCloud. But that app works only if the person using it has:
    your appleid, password and a valid two factor code.
    a token stored on your computer.

    And the only way for them to get it is to have access to your devices or your computer.
     
  5. Primejimbo thread starter macrumors 68040

    Joined:
    Aug 10, 2008
    Location:
    Around
    #5
    Thanks for clearing that up for me!
     
  6. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #6
    In the past the software used the token that is generated when you log in to iCloud in the settings on Mac or the iCloud app on Windows. Not sure if they can now also use the browser cookie that is used to store the token for access to icloud.com.

    In order to get to the token, an attacker would either have to have physical access to your computer, or use some exploit to remotely install malware that could grab them and send them over the Internet. One thing to note is that you will not get an email notification when someone uses a token to access your account.
     

Share This Page