Sunday, August 5, 2012

Apple gave hackers access to user’s iCloud account


As we continue to upload more and more of our lives to the web, the dangers of being hacked multiply. Our credit card numbers, our home addresses — they’re all there for the taking. That’s why so many security experts preach using a complicated password.
But sometimes, using a strong password isn’t enough. Just ask former Gizmodo writer Mat Honan. Mat’s world was turned upside down this weekend when a hacker gained access to his iCloud account, wiping his Mac, iPhone and iPad, thanks to Apple…
If you follow Mat Honan or Gizmodo on Twitter, you would have seen quite the show Friday night. Hackers gained access to both accounts and started their reign of terror.
Honan explains how it all went down:
“At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years.
The backup email address on my Gmail account is the same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:04, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.”
And because he didn’t have any backups, Mat says he lost more than a year’s worth of photos, emails, and documents. Ouch. And apple said that none of this is recoverable without serious forensics.
So how did all of this happen? A brute force attack? A key logger? Nope, Apple essentially handed the hackers Mat’s iCloud password.
 ”Update three: I know how it was done now. Confirmed with both the hacker Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
Apparently, if someone can convince Apple that they are you, they can gain access to your iCloud account with very little effort. Granted, Mat Honan’s life is a little bit more public than most people’s (he’s also worked for Wired magazine). But this attack still highlights a very real weakness in Apple’s security.
In fact, we expect the company to make a statement regarding this situation at some point, if for no other reason then to reassure folks that this won’t happen again. Some people store their entire lives on iCloud. And if Apple ever wants to, at some point, become a medium for wireless mobile payments, it needs to feel safer.

No comments: