Originally published at: Beware of Attacks Using Password Reset Request Notifications - TidBITS
Brian Krebs covers an attack that exploits a vulnerability in the Apple ID password reset process to deluge users with requests to reset the password. Consider yourself forewarned.
After reading a few followup articles, it appears that receiving a phone call from a scammer pretending to be Apple is part of the scam. After youâve been convinced that youâre under attack (by the barrage of password reset requests), you then get a call from someone who claims they can solve the problem by activating some super new security feature. But you canât turn it on yourself - only they can do it and they require your login credentials.
Needless to say, if you do what they say, then you really are doomed.
[EDIT: Thank you Adam for merging this as I missed his original post on the subject. Made edits to avoid some duplicate info.]
I do not know if Apple has issued any fixes for this. I would have presumed they would have thought to set a limit on how frequent âReset Passwordâ requests can be sent and, if overused, lock out that feature for a designated period. This appears to not be the case.
[âŚ] The trick is if the user accidentally presses the wrong spot, it can allow the attacker to reset the AppleID password and lock out the owner. Additionally, even if the Notifications are denied, some people have received fake calls from âApple Supportâ at 1-800-275-2273 but it is in fact NOT Apple calling.
Thereâs already a TidBITS brief on this attack.
Apologies for the duplicate (didnât find that in my search). It is worth emphasizing the faked Apple Support calls, however.
Yes. Thatâs the key to the scam.
Sending password-reset requests alone wouldnât work. Even if you agreed to them, the attacker would then need access to your e-mail account to complete the reset operation. And if they have that, there are other easier and more lucrative ways to steal your identity.
Or even better for criminals, control of your mobile phone number through SIM-swapping.
For those of you who followed Adamâs link to the Krebs article, be aware it was updated March 27 (5pm ET) to add a âWhat Can You Do?â section (at end) and some comments about the Watch scenario.
Of specific note is the Watch screen size may require scrolling DOWN to use the âDonât Allowâ option. Additionally, Krebs tested the Apple Recovery Key suggested by Apple Support, but found it âdoes nothing to stop a password reset prompt from being sent to associated Apple devices.â
Looking at the Watch screenshot reminds me of a common concern I have with touch screen UI design: Critical options squeezed tightly together that may cause unintended activation of features. I would argue that for something so crucial, a 2nd confirmation screen should be required that includes a rephrasing of the action you are about to take.
A tiny bit of inconvenience for something most users rarely need to do is a small price to pay for a little more security.