Apple Knows About A Massive Hack Exploit, And Has Done Nothing

Gizmodo alumni Mat Honan got hacked this week. It was bad. But that's not the worst part. Worse is that Apple knows exactly how easy this is for months, and hasn't done a thing to stop it.

Honan has a chilling account of Apple and Amazon's security flaws over at Wired today. He's actually been in contact with his hacker, "Phobia," and using the information he got there, has been able to confirm that Apple has been aware of the security issue. Here's how it works:

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

And perhaps more disturbing is how aware Apple's tech support is of this:

Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.

Today, Wired confirmed the technique works on different accounts. So in total actuality, if you use the same credit card on Amazon or PayPal as you do on Apple, you are exposed to the dead-simplest social hack in recent memory.

We already knew that Mat's account had been hacked without any brute force, but this level of negligence is totally nuts. For reasons passing understanding, Apple seems to have actually refused to enact simple policy changes to stop crippling, terrifying hacks from happening to its customers. [Wired]

Image by gualtiero boffi/Shutterstock



    Stupid apple most businesses show the last 4 digits

    Why does Apple have to change? Shouldn't everybody else change their security policy?

      Just waiting an email from Steve Jobs now... "Everyone else is just doing it wrong"

        You'll be waiting a while Drew.

          Drew won't have to wait to long. I'm on hold with apple support now to claim his iCloud account :-)

    Any kind of process that involves a third party person - tech support guy - is inherently flawed.

    I was following this from the start, but after reading the full Wired article I realized that he says a few times all the hackers wanted was his @mat twitter account... So although it's not mentioned, if twitter had two factor auth, the entire scenario would never have begun in the first place!

      Better for him/us to find out about this exploit when the hacker wasn't intending to access his other accounts...

    Its easy to hack customer services personnel. Complain loud and long enough and they fold.

      Or lodge a formal complaint to the obudsman, at least it solves my problem with TPG very quickly after back and forth for 2 weeks with no result

    Most forms of verification over the phone are amazingly flawed. Companies really need to start implementing challenge response type authentication for BOTH parties. This shouldn't be something as easily available as someone birth date or publicly displayed credit card information (just look at the article today about Melbourne MYKI system leaving 9 digits and the exp date of the credit card on the receipt).

    It's important to have to have it go both ways. So you know the person at the other end of the phone is actually from the company they say they are. Example, I had someone call me up from the ATO a while back, the first thing they asked me was to verify my date of birth and address. I simply asked them, "how do I know you're really form the ATO"? They could not provide any kind of information to me to show that they were in fact from the ATO and did want to contact me. I told them to send any correspondence via mail if they couldn't provide any kind of assurances like this.

    "Alumnus" not "alumni". The latter is plural, so unless Mat is some sort of collective you need to use the former.

Join the discussion!