Beware of Attacks Using Password Reset Request Notifications

ace · March 26, 2024, 8:21pm

Originally published at: Beware of Attacks Using Password Reset Request Notifications - TidBITS

Brian Krebs covers an attack that exploits a vulnerability in the Apple ID password reset process to deluge users with requests to reset the password. Consider yourself forewarned.

ace · April 1, 2024, 2:07pm

8 posts were split to a new topic: Forged email scam

Shamino · April 1, 2024, 3:59pm

After reading a few followup articles, it appears that receiving a phone call from a scammer pretending to be Apple is part of the scam. After you’ve been convinced that you’re under attack (by the barrage of password reset requests), you then get a call from someone who claims they can solve the problem by activating some super new security feature. But you can’t turn it on yourself - only they can do it and they require your login credentials.

Needless to say, if you do what they say, then you really are doomed.

macguyver · April 12, 2024, 8:38am

[EDIT: Thank you Adam for merging this as I missed his original post on the subject. Made edits to avoid some duplicate info.]

I do not know if Apple has issued any fixes for this. I would have presumed they would have thought to set a limit on how frequent “Reset Password” requests can be sent and, if overused, lock out that feature for a designated period. This appears to not be the case.

[…] The trick is if the user accidentally presses the wrong spot, it can allow the attacker to reset the AppleID password and lock out the owner. Additionally, even if the Notifications are denied, some people have received fake calls from “Apple Support” at 1-800-275-2273 but it is in fact NOT Apple calling.

Simon · April 12, 2024, 1:18pm

There’s already a TidBITS brief on this attack.

macguyver · April 12, 2024, 4:57pm

Apologies for the duplicate (didn’t find that in my search). It is worth emphasizing the faked Apple Support calls, however.

Shamino · April 12, 2024, 5:05pm

Yes. That’s the key to the scam.

Sending password-reset requests alone wouldn’t work. Even if you agreed to them, the attacker would then need access to your e-mail account to complete the reset operation. And if they have that, there are other easier and more lucrative ways to steal your identity.

Halfsmoke · April 13, 2024, 6:33pm

Or even better for criminals, control of your mobile phone number through SIM-swapping.

macguyver · April 13, 2024, 8:44pm

For those of you who followed Adam’s link to the Krebs article, be aware it was updated March 27 (5pm ET) to add a “What Can You Do?” section (at end) and some comments about the Watch scenario.

Of specific note is the Watch screen size may require scrolling DOWN to use the “Don’t Allow” option. Additionally, Krebs tested the Apple Recovery Key suggested by Apple Support, but found it “does nothing to stop a password reset prompt from being sent to associated Apple devices.”

Looking at the Watch screenshot reminds me of a common concern I have with touch screen UI design: Critical options squeezed tightly together that may cause unintended activation of features. I would argue that for something so crucial, a 2nd confirmation screen should be required that includes a rephrasing of the action you are about to take.

A tiny bit of inconvenience for something most users rarely need to do is a small price to pay for a little more security.