Beware! A Bug in Apple’s Password Reset Feature Is Leading to Phishing Attacks
According to a recent report onKrebsOnSecurity, several Apple users are being targeted in phishing attacks that take advantage of what appears to be a bug in Apple’s password reset feature. In this attack, users are bombarded with dozens of notifications or multi-factor authentication (MFA) requests to change their Apple ID password.
The attacker has managed to cause the targeted iPhone, Mac, or Apple Watch to displayendless system-level password change promptsthat prevent the devices from being used until the user chooses “Allow” or “Don’t Allow” for each prompt. The attacker does this repeatedly with the hope that the target will either approve the request mistakenly or get tired of the endless notifications and click on the allow button. When the request is approved, the attacker canchange the Apple ID password and lock the user out of his Apple account.
Thesepassword reset requests will appear on all Apple deviceswhere a user has signed in with the sameApple ID.Therefore, the user won’t be able to use any of his linked Apple devices until the popups are dismissed one by one on each of them.
An X (aka Twitter) user Parth Patelshared his storyof being targeted for this phishing attack on his Apple ID. He said he couldn’t use his Apple devices until he clicked on “Don’t Allow” for more than 100 notifications.The attackers made a led high effort focused attack on me, using OSINT data from People Data Labs and caller ID spoofing.First, around 6:36pm yesterday all of my Apple devices started blowing up with Reset Password notifications.Because these are Apple system level alerts,…pic.twitter.com/vX1AZvoVoN— Parth (@parth220_)March 23, 2024
The attackers made a led high effort focused attack on me, using OSINT data from People Data Labs and caller ID spoofing.First, around 6:36pm yesterday all of my Apple devices started blowing up with Reset Password notifications.Because these are Apple system level alerts,…pic.twitter.com/vX1AZvoVoN
These attacks aren’t just limited to sending notifications. The attackers had an ace up their sleeves. When the attackers can’t get the targeted user to click “Allow” on the reset password notifications, they will make phone calls using caller ID spoofing of the official Apple Support phone line. During the call, the attacker claims to know that the user is under an attack, and will empathize with the victim to win his trust. The attacker will attempt to get the one-time password that’s sent to the victim’s phone number when attempting password change requests.
In Parth’s case, the attacker used information leaked from a people search website, which included personal details like name, phone number, current address, past address, and more. Somehow, the attacker had his name wrong. The target became suspicious when he was asked to share a one-time code that appeared to be sent by Apple explicitly with a message saying that Apple does not ask for any codes. However, the attacker has the email address and phone number associated with the user’s Apple ID.
KrebsOnSecurity studied the issue and found these attackers appear to be using anApple page for a forgotten Apple ID password. This page requires an Apple ID or phone number, and it has a CAPTCHA. When you enter an email address, the page displays the last two digits of the phone number linked with that Apple account. When someone fills in the missing digits and hits the submit button, it sends a system alert.
At the moment, it isn’t clear how the attackers are able to abuse the system and manage to send multiple requests to Apple users. It seems there’s a bug in the system that’s being exploited. Apple system cannot used to send more than 100 requests at once, so probably, the rate limit is being bypassed.
If you’re an Apple user, you must make sure to tap “Don’t Allow” on all password change requests, unless you’ve deliberately made the request. Also, bear in mind thatApple never makes phone calls asking for one-time password codes. So, you must act smartly and escape these dangers.
Kanika Gogia
Kanika has been a loyal iPhone user since 2014 and loves everything Apple. With a Master’s in Computer Applications, passion for technology, and over five years of experience in writing, she landed at Beebom as an Apple Ecosystem Writer. She specializes in writing How To’s, troubleshooting guides, App features, and roundups for Apple users to help them make the best use of their gadgets. When not writing, she loves to try out new recipes and enjoy some family time.
Add new comment
Name
Email ID
Δ
01
02
03
04
05
