Hackers can steal your AppleID in 10 s

We accidently came across a major security problem when we were configuring iMessages on OS X Mountain Lion. We certainly don’t want to encourage illicit activities but full disclosure is usually the best way to handle public security issues.

This is a serious bug where you quickly and without any hacker skills can take full controll over someone else’s Apple ID when you’re connected to the same WiFi network. This mean you can gain full access to that person’s iTunes and App Store accounts, by adding your own email address as a verified address and then changing their password and security settings.

Edit
Since we endorse both Apple and its users we’ve decided to remove the step-by-step instructions to avoid the risk of misuse. As we pointed out above, we certainly don’t want to encourage illicit activities.

The technique used is called a “Session Fixation Attack”, meaning that the user’s session which should be associated with and confined to the user’s computer and browser can be reused and exploited by a 3rd party.

You stay safe from this by not sharing or receiving links to Apple ID. If someone asks you to log in to Apple ID, make sure you don’t open a link to https://appleid.apple.com/ and only access it by going directly to https://appleid.apple.com/.

20 Kommentarer

Pingback: Apple's security problems go on - Android Forums
SteVo

Step 2 sounds like something that would never happen, but it’s really just a matter of running Wireshark to sniff out the URL.
- Erikbj
  
  Let say you study at a school with a public wifi network. You then post the URL on Facebook and tell all your friends to login to checkout a new feature.
- http://www.facebook.com/emil.stenqvist Emil Stenqvist
  
  Apple ID’s enforces SSL when logging in, and hence Wireshark can not be used to facilitate this attack – it requires active participation from the user in question.
Guest

“We certainly don’t want to encourage illicit activities but full
disclosure is usually the best way to handle public security issues”

No, the best way is to report the issue to the vendor (Apple) and give them time to react. After it’s fixed you can disclose the report.

Reporting serious, unfixed problems just gets a bunch of innocent users in trouble and makes you look like the bad guy.

Disclosing before giving vendor a reasonable time to reach is a douchy and very unprofessional thing to do.
- http://twitter.com/martin_levy Martin Levy
  
  We did contact Apple and filed a bug report via https://ssl.apple.com/support/security/ and received an automatic response. We waited some time and then sent another bug report at https://developer.apple.com/bugreporter/ and got another automatic response.
  
  After a couple of hours we posted this as we believe it’s such a serious problem that it’s better to warn people about the risk and how to protect themselves.The articles about our findings have all pointed out how to avoid being a victim for attacks taking advantage of this bug.http://www.expressen.se/nyheter/sa-latt-kan-ditt-apple-id-kapas/http://computersweden.idg.se/2.2683/1.471186/allvarligt-fel-i-apples-id-hanteringhttp://www.99mac.se/artiklar/3164-osaker-hantering-apple-id.html
  - Guest
    
    You gave them couple of hours? Or days? Or perhaps week or two?
  - J. Scott Anderson
    
    All I see in your reply is that you seem to have given Apple less than a day to respond. If you gave more, it doesn’t show in your response. And if–as it seems–that you gave them less than a day, I think the original posters comments on your actions is being polite.
Guest

Allvarligt? Gav ni Apple ett par timmar att åtgärda felet? Ni är verkligen pinsamma. Ge dom en vecka åtminstone kan man tycka, hade sett mycket snyggare ut. Så bra gjort, ni sänker verkligen ribban, man kan inte ta er seriöst för fem öre.
- http://www.facebook.com/emil.stenqvist Emil Stenqvist
  
  Eftersom den här säkerhetsproblemet kräver aktiv medhjälp från offret minskar kravet på diskretion. Snarare är det viktigare att sprida kännedom om problemet, så att människor själva kan skydda sig emot det. Tack vare vår bloggpost har det här uppmärksammats i de samtliga stora dagstidningar – något vi tror haft större effekt än att vänta i X antal veckor på att Apple ska fixa det. Samtidigt som man löper risken att andra precis som vi upptäcker det av misstag, och utnyttjar det för egen vinning.
xtanjx

A little help would be appreciated. For example, you are in Starbucks running Mac OS X 10.8, how do you protect yourself until Apple fixes this? Do you turn off iMessage, set your firewall to “stun” …?
- Emil Stenqvist
  
  You just don’t accept a link asking you to login to Apple ID, or share a link from a session where you’re logged into Apple ID.
B T

The URL containing the session is sent over SSL. So what’s the issue, again?
Pingback: OS X-beveiligingslek kan Apple ID in 10 seconden achterhalen - iPhoneclub.nl
Pingback: Alvarlig ny säkerhetslucka i Apple
Pingback: OS X-beveiligingslek kan Apple ID in 10 seconden achterhalen | Hackers Domein
Pingback: Mediakoll: “Så lätt kan ditt Apple-id kapas” - Allt om Mac
Pingback: Apple ID kan door OS X beveiligingslek misbruikt worden
Pingback: perantiNET Hacker Mac OS X dapat mencuri ID Apple dalam 10 detik » perantiNET
Pingback: IMP Live 222 – Bezos’ Bezels « International Mac Podcast

Hackers can steal your AppleID in 10 s

Search

News

Recent Posts

Archives

Categories

Get in touch

Features

From the blog

About

Quotes

Hackers can steal your AppleID in 10 s

Search

News

Recent Posts

Tags

Archives

Categories

Get in touch

Features

From the blog

About

Quotes