Slashdot Mirror
Apple Support Allowed Hackers Access To User's iCloud Account
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.
Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".
Perhaps you should go back and read the article (just the summary will do): the "hacker" socially engineered an Apple support "engineer" to bypass the security questions. So he did not even need to google them.
I'm not a complete idiot... Some parts are missing.
True, but Gramma wouldn't link all her devices like that. One account compromised shouldn't get you remote root access to every other device
Actually, it's entirely possible she could, because Apple's iCloud makes it that easy.
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
If it's so easy, kindly tell me my first pet's name, my date of birth, the city I was born in, the make of the first car I drove, my first school's name, my mother's maiden name, and the answer (or even question) to my 'other' security question? Keep in mind these need to be formatted exactly as I have entered them, and not as you may have copied them from a public record.
Security questions are plenty secure, as long as you don't have a path to just avoid them entirely, as Apple so kindly provided here.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
Yesterday a hacker gained access to Mat Honans...
Let me introduce to you to Mr Apostrophe.
(An editor at gizmodo)
(an editor at Gizmodo)
allowing him... He was also able...
No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)
apple iCloud account... google and twitter accounts... apple customer support
Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.
down to a brute force attack, however today it has come out
A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.
Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.
systemd is Roko's Basilisk.
This is how SpiderOak does it. https://spideroak.com/faq/questions/13/what_if_i_forget_my_spideroak_password/
Sure, but getting the data wasn't a goal here. Infact, they appear to specifically wiped out the data. It's the accounts that are valuable, not what is in them.