Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
ScreenTime still have unpatched exploits leading to reset iCloud Password when using only iCloud e-mail, iCloud phone number and device passcode… because it can be chosen to authenticate using the same device passcode.

Maybe in iOS 17 it’s patched, iPadOS 17 seems to be the same…
Does this exploit also work in case of using HW security keys?
 
Don’t like this change for security reasons. If you like your previous passcode because you remember it why bloody change it in the first place if you have to enter the old one because you forgot the new one.
 
  • Like
Reactions: kpluck
Great summary of what can (and should) be done to better protect private data. Same approach. I set 2FA for (or disable at all) not only important accounts but also important apps on iOS: settings/passcode (Screen Time passcode), banking apps ("financial" PIN), iCloud Files (off, need it only on MBA), important Notes (passcode). I forgot (shame on me, thanks) about keychain passwords, where some important passwords are kept. Fortunately I need them only on my MBA so Keychain is off now (and turning on is protected by ScreenTime password).

Apple claims to focus on user privacy, but ... there's a lot to be done to make private data really secure.
I think the main thing is, the PIN you use to open your phone (if biometrics fails) should not by default give you a skeleton key to open Keychain, change iCloud settings, etc. That right there is a huge glaring security hole, and while I feel bad for people who've been victimized this way, hopefully all the bad press about it will prompt Apple to lock things down a little better.

Screen Time is a good second line of defense... IF you know how to set it up and are actually going to take the time to do that. Most people don't know about this stuff, and frankly they shouldn't have to.
 
Does this exploit also work in case of using HW security keys?
HW security keys - FIDO as far as I know in iOS 16 were not used at all to prevent passcode change sadly :/ just to authenticate new devices but if thief reset passcode he can also remove HW keys and so on…

So change from topic is good but still there are holes in this but it’s going good direction I hope…
 
  • Like
Reactions: centauratlas
Apple might as well just let you use 1234 to unlock it for 72 hours after the change.
 
I think the main thing is, the PIN you use to open your phone (if biometrics fails) should not by default give you a skeleton key to open Keychain, change iCloud settings, etc. That right there is a huge glaring security hole, and while I feel bad for people who've been victimized this way, hopefully all the bad press about it will prompt Apple to lock things down a little better.

Screen Time is a good second line of defense... IF you know how to set it up and are actually going to take the time to do that. Most people don't know about this stuff, and frankly they shouldn't have to.

And Screen Time might only buy you a few minutes before the thief just turns it off.
 
Just read about a really good safeguard against this using Screen Time, actually. I'm having trouble remembering where I saw it, but the basic idea was that you can go into Screen Time > Content & Privacy Restrictions and then disallow Passcode and Account changes. Once you've done that, you can ONLY change your Apple ID settings if you know the Screen Time PIN, which is a 4-digit PIN you can make totally different from the PIN you unlock your phone with.

The Screen Time setting may not fix the vulnerability, as discussed in the comments to this article on TidBITS (I haven’t tested the scenario myself but I regard TidBITS’ staff as both knowledgeable and experienced ):

—————
  1. OK, I just spent a bunch of time testing this carefully, and while it may be better, it’s not fixed.
    Let’s assuming the thief has your iPhone and your passcode, but you’ve turned on a Screen Time passcode and locked account changes but not set a recovery key. The thief can find your email address and phone number from email and Settings > Phone.
    Then, if they work through the steps to turn off the Screen Time passcode, saying Forgot Passcode when prompted, entering your email address when prompted, and then tapping Forgot Apple ID or Password, they’ll be able to reset the Apple ID password using just the passcode and turn off the Screen Time password in the same step.
    The confusion, I think, is that there’s a branch in the logic at one point, and if they follow the other branch, they’ll be prompted for your trusted phone number or recovery key. The problem occurs at the Screen Time Passcode Recovery screen:
    • If they enter your email address in the Apple ID field here, tap OK, and then get the password field, they can then tap Forgot Apple ID or Password and continue with the passcode to reset the password. In other words, the most obvious approach is the least secure.
    • If, instead of entering your email address right away, they tap Forgot Apple ID or Password first, and then enter the email address, they’ll go into the more secure password reset flow that tells them to continue on your other Apple devices. If they say they can’t get to them, they’ll be asked for your trusted phone number, which they can find out easily. But that doesn’t end up working out, at least in my testing.
    • When I entered that, I was prompted for the passcode again, but entering it threw me to the Don’t Know Your Passcode screen that was warning my account would be locked for several days. At that point, I bailed—who knows what would happen if I locked my account like this. But I very much got the sense that a thief wouldn’t be able to change the password that way.
      I’m being a little waffly here because I only tested a few times—I was just too leery of locking my account or messing something else up entirely. But I’ll report this to Apple and see if anything comes back.
      All that said, if you both turn on the Screen Time passcode and set a recovery key, you’re safe. There’s no way to turn off the Screen Time passcode without having access to the recovery key.
  2. 64.png
    Doug Miller
    24 April 2023

    Avatar for ace
    Adam Engst:

    All that said, if you both turn on the Screen Time passcode and set a recovery key, you’re safe. There’s no way to turn off the Screen Time passcode without having access to the recovery key.
    That seems incorrect in my case. I have both a recovery key set and a screen time passcode and I can still go through and change the Apple ID password with the procedure you listed. (I just, in fact, actually changed it - and very shortly afterward realized that this meant that my Sonos stopped playing music because I had to reauthorize my Apple Music account.)
    Having a screen time passcode with account changes disallowed makes it harder to find the Apple ID address on the device, but not impossible.
  3. 12437_2.png
    Adam Engst
    24 April 2023
    Darn it, I think you’re right. That was my starting condition, and when I assumed it worked, it was before I discovered that there was a difference with when you enter the email address in the Screen Time Passcode Recovery screen. I have screenshots showing that the recovery key is required, but I’m pretty sure that’s in the branch where you enter the email address AFTER tapping Forgot Apple ID or Password.
    I’ve set up to replicate now, and while I don’t actually want to change my Apple ID password again (it invalidates my app-specific passwords and causes all sorts of cascading alerts on different devices), I’m getting the screen to change the Apple ID password without being prompted for the recovery key first.
 
  • Like
Reactions: addamas
Just read about a really good safeguard against this using Screen Time, actually. I'm having trouble remembering where I saw it, but the basic idea was that you can go into Screen Time > Content & Privacy Restrictions and then disallow Passcode and Account changes. Once you've done that, you can ONLY change your Apple ID settings if you know the Screen Time PIN, which is a 4-digit PIN you can make totally different from the PIN you unlock your phone with.

I just kind of battle tested my own phone to see what I could do with a piece of tape over the FaceID sensor, just using the unlock PIN. I can get into the phone, but my banking and credit card apps all need FaceID or their own unique password to get in. Same with Venmo. I'm not using iCloud Keychain, so there's no danger in anyone using my unlock PIN to get at those banking passwords -- they're saved in 1Password which requires either FaceID or its own (very long) password. The one remaining way for people actually send money off my phone without FaceID is Apple Cash, which does not have a PIN option and which I don't believe can be protected with the Screen Time PIN from what I can tell. Kind of lame, but I'm not going to disable Wallet entirely.

It would suck to lose money, but honestly the HUGE thing here is not losing my entire Apple ID if someone PIN jacks my phone. I still feel like this is a fairly unlikely thing, but it feels good to have at least a layer of protection there.

But the screen time fix could merely buy you minutes-it can be reset. It is no panacea.
 
How do mere mortals deal with all this password, PIN, passcode, keychains, biometric authentication stuff? ... I can't remember all the passwords to all the services I use.
I use a scheme to remember. First I create a "common password body" that doesn't change and then insert a character that does change that matches the site I am going to.

For instance, let's say my base is H1mPW ("Here 1s my PassWord"....easy to remember) then if I am going to google the password is H1mgPW. If i'm going to Wachovia bank it's H1mwPW. Etc. etc. This way I only need to remember the base and what site I'm logging in to.

*bold characters for emphasis here
 
Am I missing something because this sounds like a security risk to me.

Say someone got a hold of my phone and got the password. I'm able to get my phone back from them and I change my passcode. Well, that robber still has 72 hours to try to steal my phone again and use it (since they already know the old passcode).

And the situation doesn't have to be that of a "robber". It could be, for instance, one's child or some family member who wasn't supposed to have access, etc.
 
  • Disagree
  • Like
Reactions: cyanite and kpluck
Glad to see that they're looking at it. Having a low-entropy passcode as the key to the apple kingdom is a poor design choice.
 
How do mere mortals deal with all this password, PIN, passcode, keychains, biometric authentication stuff? I have no idea what all these things are and really can't afford to devote a good chunk of my life to trying to understand it like all of you appear to. The fact that it's so complicated actually lowers the security, because it's too hard to do everything 'just right'.

Since I can't figure all this stuff out, I use "Forgot Password" all the time! I can't remember all the passwords to all the services I use, and I don't trust a password manager, for all the reasons earlier posters have mentioned. If a master password is hacked, then everything is exposed. If one password is hacked, only that service is exposed.

I've been an Apple product user for over 30 years. The last 10 years have gotten so complicated that I don't even try to use most new features. Everything seems to need to have multiple configuration settings set in multiple places. And every iteration of the OS changes those places, so much that instructions on support sites reference settings and places which have been renamed or moved or simply don't exist. It's so hard that I don't even try.
Having a password manager is right at the top of my list of security recommendations (along with keeping stuff patched and getting a security freeze - not credit lock - on your credit reports).

There are good and bad password managers out there. One that allows the vendor to access to any data in your keyring is bad.

You should never use an in-browser/website one on a regular basis - only use the app. If you do have to use the web one (like 1password.com to set it up initially), then do that from a known, good, trusted browser on a machine you control (never, ever, on someone else's machine). From that point forward, only using the app prevents you from ever entering the passphrase in the wrong place. If you choose a good one that's several words long like (puppy shark jumps blue freakin whales) you'll likely never have to change it....it really is 1 password. The only real risk is that you also have to keep their secret key somewhere safe (like a parent or kid's home, or a safe deposit box), because you'll need that to regain access to your account if you lose all your devices at the same time.

Highly highly recommended.

Just a side note: If you have a password for your email account that you can remember, it's likely that it can easily be hacked. And since email reset is the fallback for most sites, that's actually the most important password to make extremely secure. This is why, by the way, that you should never login to your email account from a machine you don't own, and ideally from a browser that you don't use for general browsing (if you use browser based email instead of a real service/client).
 
  • Like
Reactions: ignatius345
Dumb. Most people change their passcode for a reason - like a snooping partner/ex, kid, etc. This would let that person just get back on in there. Who changes their passcode without a reason?
 
OK... so they show that can have two passcodes active. What prevents them from adding a third as a backdoor for FBI or Chinese Government?
lol, a single passcode that unlocks ANY iPhone? That wouldn’t stay secret for more a couple weeks. There‘s no reason to be anymore concerned about such things than you were previously.

I seriously don’t get how people think that they are more at risk when companies publicly announce features they view as “close” to a possible privacy concern. If a company was to do something sneaky they obviously wouldn’t announce it and thus people would be none the wiser.

So “what prevents them?” Obviously the same thing that has always prevented them—which even if nothing—isn’t any different than before.
 
Am I missing something because this sounds like a security risk to me.

Say someone got a hold of my phone and got the password. I'm able to get my phone back from them and I change my passcode. Well, that robber still has 72 hours to try to steal my phone again and use it (since they already know the old passcode).

And the situation doesn't have to be that of a "robber". It could be, for instance, one's child or some family member who wasn't supposed to have access, etc.
It shows in the screenshot that you can cancel the old passcode immediately, without having to wait 72 hours for it to expire.
 
Don’t like this change for security reasons. If you like your previous passcode because you remember it why bloody change it in the first place if you have to enter the old one because you forgot the new one.

Apple might as well just let you use 1234 to unlock it for 72 hours after the change.

Am I missing something because this sounds like a security risk to me.

Say someone got a hold of my phone and got the password. I'm able to get my phone back from them and I change my passcode. Well, that robber still has 72 hours to try to steal my phone again and use it (since they already know the old passcode).

And the situation doesn't have to be that of a "robber". It could be, for instance, one's child or some family member who wasn't supposed to have access, etc.

Dumb. Most people change their passcode for a reason - like a snooping partner/ex, kid, etc. This would let that person just get back on in there. Who changes their passcode without a reason?


Can everyone please read the article before criticizing? The article fully explains that you have the option to instantly, fully, cancel your old password (ie - the same behavior as now) if you want to. This is not any less secure than it was.

Have none of you ever changed your password on your laptop/iPhone/etc before and then gone a few days without typing it in - only to be stumped the next time you get a password prompt? I’m not even very old and have had this situation happen. In that case it’s helpful to be able to use the one you were using for the last year that you still remember.

As for “who changes their password without reason”… ummm… everyone that cares at all about security? Regularly changing passwords (even if just every year or so) is one of the simplest suggestions for password security.
 
Kid figures out parents passcode.
Parent changes passcode.
Kids uses feature to undo change and regain access.
Parents don't realize or use Expire feature.
This happens to thousands. Kids learn way faster than parents.
 
  • Like
Reactions: msackey
Can everyone please read the article before criticizing? The article fully explains that you have the option to instantly, fully, cancel your old password (ie - the same behavior as now) if you want to. This is not any less secure than it was.
That's not necessarily true. If the internal mechanisms regarding how passcodes are handled has changed (I have no idea if that is the case), then this could result in a less secure situation.
 
  • Disagree
Reactions: cyanite and KENESS
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.