Sign in with
Sign up | Sign in

Apple Support Gives Hacker Access to Blogger's iCloud

By - Source: via ZDNet | B 60 comments

Apple apparently gave a perfect stranger access to Mat Honan's iCloud account without verifying his identity.

As we become more connected and more reliant on the web, top-notch security becomes more and more important. While some services like Gmail offer two-step verification to ensure only you can access your account, not every service offers security that's as air-tight. This past weekend, Wired's Mat Honan revealed that he had been hacked. Actually, the hackers themselves revealed that fact when they took control of Honan's Twitter account but Honan later divulged just how bad the attack was.

Honan says someone accessed his iCloud account at 4:50pm on Friday afternoon. This person reset the password and then sent the password reset confirmation email to the trash bin. After that, the hacker switched his or her focus to Honan's email account. Honan said in a blog post on Friday that the backup email address on his Gmail account is the same .mac email address. So, at 4:52pm, the attacker sent a Gmail password recovery to the .mac account and successfully reset his Gmail password.

Now, most of us would already be freaking out at this point. The idea of a stranger having access to your personal email is a very scary one. However, the hacker wasn't finished with Honan. At 5pm, the attacker wiped his iPhone. One minute later, they did the same to his iPad. At 5:05pm, his MacBook Air was wiped clean. After that, they accessed his Twitter and, because his Twitter was once linked to the account of his former employer Gizmodo, the hackers took the @Gizmodo account, too.

The story of how the hacker breached one account and used that access to breach multiple other accounts is interesting enough as it is. However, how they got access to the first account (in this instance, iCloud), is even more interesting. Though Honan originally thought the person responsible had managed to brute force is seven digit alphanumeric password, he soon figured out that it wasn't as hard as that. In an update to his blog post, Mr. Honan said that he had confirmed with both the hacker and Apple that it wasn't password related. The hacker simply phoned Apple support, convinced the tech support worker that he was Honan and had them reset the password.

Speaking via Twitter, Honan revealed that the hacker didn't even have to answer any security questions. "They did not have to answer security questions. Bypassed both the password, and the questions," he told one follower, later adding, "To all asking exactly what info let hackers access my account, I want to give Apple a chance to respond first. Should be an easy fix."

Apple also hasn't commented publicly on the situation, but we don't expect Cupertino to stay quiet for long. This could have happened to anyone (though Honan's job as a tech blogger for a popular publication does make him an attractive target), and the fact that Apple let a stranger access a user's account with no authentication is very worrying. We'll keep you posted on this one.


Follow @JaneMcEntegart on Twitter.                     

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Display all 60 comments.
This thread is closed for comments
Top Comments
  • 26 Hide
    codo , August 6, 2012 5:14 PM
    Deserves it for owning that much apple junk
  • 25 Hide
    ddpruitt , August 6, 2012 5:30 PM
    Everything's easier with an Apple, including identity theft.

    15 minutes could delete 15% or more
  • 24 Hide
    spartanmk2 , August 6, 2012 5:19 PM
    iLoL'd
Other Comments
  • 10 Hide
    theconsolegamer , August 6, 2012 5:14 PM
    Quote:
    This person reset the password and then sent the password reset confirmation email to the trash bin.


    Are you serious? lmao
  • 26 Hide
    codo , August 6, 2012 5:14 PM
    Deserves it for owning that much apple junk
  • 23 Hide
    Netherscourge , August 6, 2012 5:18 PM
    Hacker: Hi, I forgot my password. Please tell me?

    Apple CS: Sure, you just have to answer a security question.

    Hacker: Ok, what is it?

    Apple CS: What year is it?

    Hacker: um.... 2012?

    Apple CS: Ok. Here ya go! ______ Is there anything else we can do for you today Mr. Honan?

    Hacker: Nope. I'm good. Thanks!

    Apple CS: Thank you and have a nice day!

    Hacker: Oh, I will. MWAAA HA HA HA HA HA HA!

    Apple CS: Goodbye!
  • 24 Hide
    spartanmk2 , August 6, 2012 5:19 PM
    iLoL'd
  • 20 Hide
    hoofhearted , August 6, 2012 5:19 PM
    How is it that this hacker remote wiped his iPhone, iPad, and Mac? (local devices with local storage) Or is this another advantage of cloud computing?
  • 9 Hide
    RyQril , August 6, 2012 5:25 PM
    should i laugh out loud or its just mean?
  • 25 Hide
    ddpruitt , August 6, 2012 5:30 PM
    Everything's easier with an Apple, including identity theft.

    15 minutes could delete 15% or more
  • 7 Hide
    ixxbobafettxxi , August 6, 2012 5:30 PM
    Apple Noobz. LOL
  • 5 Hide
    dextermat , August 6, 2012 5:31 PM
    Insert fail trumpet sound here ! ==>
  • 18 Hide
    ixxbobafettxxi , August 6, 2012 5:32 PM
    hoofheartedHow is it that this hacker remote wiped his iPhone, iPad, and Mac? (local devices with local storage) Or is this another advantage of cloud computing?

    icloud
  • 15 Hide
    Khimera2000 , August 6, 2012 5:33 PM
    Apple has never put enough emphasis on security. I remember a time not to long ago when they wouldn't reveal any details on breaches to there OS, no matter how bad (they did push out a fix incognito). A company with history of keeping there customers in the dark would probably have other issues with security, shame it was something like this.

    at least that's my take.
  • 14 Hide
    zeratul600 , August 6, 2012 5:42 PM
    that's what you get for using crapple
  • 6 Hide
    molo9000 , August 6, 2012 5:44 PM
    hoofheartedHow is it that this hacker remote wiped his iPhone, iPad, and Mac? (local devices with local storage) Or is this another advantage of cloud computing?


    It's an iCloud feature meant to be used on stolen iPhones/iPads/Macs. Most users don't activate it, because they don't find out about this feature until after their device was stolen.
    This guy actually activated it and karma bit him in the ass.
  • 12 Hide
    ithurtswhenipee , August 6, 2012 5:50 PM
    I saw a report a few years ago that said apple was actually fairly easy to hack due to the complacency of Jobs and Company. Since Apple was comparatively insignificant in the grand computing scheme, Apple arrogantly did little in the hardening of their OS. Now that the isheep population has grown, Apple's security practices seem to have a hard time keeping up now that Apple is starting to be a larger target.
  • 20 Hide
    v90k , August 6, 2012 6:07 PM
    taking the term "Apple Genius" to a whole new level.
  • 17 Hide
    A Bad Day , August 6, 2012 6:07 PM
    And those who say that Apple is invincible...
  • 4 Hide
    aracheb , August 6, 2012 6:29 PM
    NetherscourgeHacker: Hi, I forgot my password. Please tell me?Apple CS: Sure, you just have to answer a security question.Hacker: Ok, what is it?Apple CS: What year is it?Hacker: um.... 2012?Apple CS: Ok. Here ya go! ______ Is there anything else we can do for you today Mr. Honan?Hacker: Nope. I'm good. Thanks!Apple CS: Thank you and have a nice day!Hacker: Oh, I will. MWAAA HA HA HA HA HA HA!Apple CS: Goodbye!

    lol...
    hahahahahahaha funny thing.
  • 4 Hide
    nforce4max , August 6, 2012 6:35 PM
    I hope that people think long and hard about this considering that many can learn an important lesson. Any weak link in your security can compromise everything. Another reason why I don't keep everything online.
  • 2 Hide
    thorkle , August 6, 2012 6:37 PM
    As much as I don't support apple, this is clearly the fault of a bad tech support employee falling for a social engineering attack. They need to train their employees more diligently is all there is to it.
Display more comments