Sign in with
Sign up | Sign in

Apple, Amazon Close Holes that Allowed Honan Hack

By - Source: Wired | B 20 comments

Amazon and Apple are both working to fix weak points that made it easier for a hacker to attack Wired reporter Mat Honan.

Earlier this week, Wired reporter Mat Honan reported that his iCloud account had been compromised. The hack resulted in his MacBook, iPad and iPhone being remote wiped, his Google account deleted, and his Twitter account hijacked. The hacker told Honan that they had done it all just to get their hands on his three-letter Twitter handle (@mat), and that they rest (deleting his Google account, wiping his personal devices), had just been to ensure he couldn't take the Twitter account back.

Honan explained that the person (or persons) responsible for the attack had been able to achieve all of this by exploiting weaknesses in both Amazon and Apple's security systems. Amazon is guilty of eventually allowing the hacker to see the last four digits of Honan's credit card number, while Apple apparently issues temporary passwords to users that are able to provide a billing address and the last four digits of the credit card on file.

To get to Amazon, the hacker used WHOIS on Honan's domain to get his billing address, and then phoned Amazon looking to add a new credit card to his account (information required to do this: name on the account, e-mail address, and billing address). With that done, they called back and said they couldn't get access to the account and need to add a new email address to their profile. After providing Amazon support with name, address, email, and the newly-added credit card details, the new email was added. After that, they logged on to Amazon and sent a password reset to the new e-mail account. Once inside the Amazon account, they were able to see those all-important last four digits of the credit card. A phone call to Apple followed and, after providing the billing address and the last four digits of Honan's credit card number, the hacker was granted access to Honan's iCloud account. Because Honan's AppleID was linked to his Gmail account, the hacker was able to change that password, and gain access to his Twitter account before deleting his Google account altogether.

Following the high-profile attack, both Amazon and Apple are now working to fix these weaknesses in their systems that leave their users vulnerable to attack. Amazon yesterday said that it had taken care of the exploit in question.

"We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon," an Amazon rep told CNET.
As for Apple, the company originally told Honan that his was a case of both the customer's data being compromised by a person who had acquired personal information and internal Apple policies not being followed completely. However, Honan said in his Wired post that he was able to verify the hackers' access technique by performing it on a different account. Not only that, but AppleCare staff told him twice that billing address and last-four-digits were enough to verify someone's identity. 

According to the Guardian, Amazon has stopped allowing customers to change account information over the phone and Apple has stopped issuing passwords over the phone. It's not clear if either company has plans to further alter their security systems to protect against attacks such as the one against Mat Honan. Still, it's worth mentioning that the attack would not have been possible had Honan had Google's two-step verification set up. What's more, the hackers would have had a much harder time had he not used the same username across all of his email accounts (mhonan@). 

Follow @JaneMcEntegart on Twitter.       

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 17 Hide
    aftcomet , August 8, 2012 9:21 PM
    As terrible as this is, it's quite ingenious.
  • 13 Hide
    Anonymous , August 8, 2012 9:37 PM
    Just goes to show as another example of how cloud systems are not proving themselves as safe.
Other Comments
  • 17 Hide
    aftcomet , August 8, 2012 9:21 PM
    As terrible as this is, it's quite ingenious.
  • Display all 20 comments.
  • 4 Hide
    jhansonxi , August 8, 2012 9:28 PM
    Most people learn the basics of this hack when they are kids - playing one parent against the other. Quite an interesting logical extension of it.
  • 2 Hide
    internetlad , August 8, 2012 9:31 PM
    fantastic use of social engineering. They knew how to manipulate the weak links (humans) to get the info they needed.

    It's a shame when a good portion of the scams and malicious software installations we see are directly related to the user clicking on something stupid because it tells them they have an infection, etc.
  • 13 Hide
    Anonymous , August 8, 2012 9:37 PM
    Just goes to show as another example of how cloud systems are not proving themselves as safe.
  • 1 Hide
    ddpruitt , August 8, 2012 10:02 PM
    Has it occurred to anyone that Apple stores passwords as plain-text? I think they have bigger issues than just giving out passwords over the phone, they need a top down security audit.
  • 0 Hide
    teh_chem , August 8, 2012 11:27 PM
    ddpruittHas it occurred to anyone that Apple stores passwords as plain-text? I think they have bigger issues than just giving out passwords over the phone, they need a top down security audit.

    It was discovered that apple stores passwords in plain text?
  • 2 Hide
    koga73 , August 8, 2012 11:44 PM
    I would think that Apple uses hashed passwords and probably just reset his pass to something new temporarily... However if this is the case then how did the hackers gain access to his gmail account unless Apple read his original plain text password to the hackers?

    "Because Honan's AppleID was linked to his Gmail account, the hacker was able to change that password"
  • 0 Hide
    hax0red , August 8, 2012 11:49 PM
    We called this social engineering back on AOL in late 90's early 2,000's. We used to do the same, 3 letters(shortest AOL screen name you could have without an exploit) considered "elite" lol. Internal AOL accounts were the biggest prize as it gave you the power of god in the AOL chats....so sad. lol.

    They eventually went to RSA secureid which stopped the internal AOL account pursuit short of having them sub7'd in which you could log their key presses @ login.
  • 6 Hide
    lathe26 , August 8, 2012 11:50 PM
    The last 4 digits of your credit card have NEVER been secure. Almost every account I have where I pay a business via credit card displays these. Many receipts emailed to me have the last 4 digits. All of my paper receipts have the last 4 digits. Seriously, what were they thinking?
  • 5 Hide
    Anonymous , August 9, 2012 12:05 AM
    I think the term manipulator is more appropriate than hacker. There was no hacking involved.
  • 0 Hide
    Camikazi , August 9, 2012 12:35 AM
    hax0redWe called this social engineering back on AOL in late 90's early 2,000's. We used to do the same, 3 letters(shortest AOL screen name you could have without an exploit) considered "elite" lol. Internal AOL accounts were the biggest prize as it gave you the power of god in the AOL chats....so sad. lol. They eventually went to RSA secureid which stopped the internal AOL account pursuit short of having them sub7'd in which you could log their key presses @ login.

    OMG sub7, I had so many accounts and passwords cause of that awesome program and some sneaky talking :) 
  • 3 Hide
    Vorador2 , August 9, 2012 8:13 AM
    The most terrible thing is that the hackers didn't used any zero day exploit nor sophisticated approach. They just phoned support posing as the owner of the account and using some clever talking. Social engineering at it finest.

    Like almost always, the weakest link in the security chain is the human link.
  • 0 Hide
    asdf634 , August 9, 2012 1:08 PM
    Jane, I think you mean "people", not "persons".
  • 0 Hide
    eddieroolz , August 9, 2012 2:26 PM
    asdf634Jane, I think you mean "people", not "persons".


    Persons is a valid term, used mostly in legal.
  • 0 Hide
    fedelm , August 9, 2012 3:13 PM
    eddieroolzPersons is a valid term, used mostly in legal.


    Lawyered.
  • 0 Hide
    Anonymous , August 9, 2012 3:46 PM
    I don't understand how the "hacker" got his gmail password. "Because Honan's AppleID was linked to his Gmail account, the hacker was able to change that password, and gain access to his Twitter account before deleting his Google account altogether."
  • 1 Hide
    jabliese , August 9, 2012 3:48 PM
    Totally agree with lathe26, last 4 digits of a credit card are NOT meant to be a form of ID. Apple customer care fail.
  • 0 Hide
    rantoc , August 9, 2012 8:55 PM
    Quote:
    As for Apple, the company originally told Honan that his was a case of both the customer's data being compromised by a person who had acquired personal information and internal Apple policies not being followed completely. However, Honan said in his Wired post that he was able to verify the hackers' access technique by performing it on a different account. Not only that, but AppleCare staff told him twice that billing address and last-four-digits were enough to verify someone's identity.


    The company i would expect all out lies from, the above just enforces it. A company so arrogant that they lie their customers right in the face even when they are at fault clearly deserves no customers! Only a fool would believe in them!
  • 0 Hide
    andrew_b , August 13, 2012 5:15 PM
    I don’t know what type of wake-up call companies need kick this complacent attitude to authentication and passwords. There is an increasing need for people to be better educated on this matter. I was just reading a blog article on telesign.com that that brought out a couple more ideas to protect our accounts. You might like to take a look.
  • 0 Hide
    mamailo , September 6, 2012 2:14 AM
    rantocThe company i would expect all out lies from, the above just enforces it. A company so arrogant that they lie their customers right in the face even when they are at fault clearly deserves no customers! Only a fool would believe in them!


    Apple customers are safe from Zombies , because of their lack of brains