Security Researcher Finds a Fundamental Flaw in iOS (krausefx.com) 162
Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.
Terrible headline (Score:5, Insightful)
Phishing attacks that are well crafted don't count as flaws.
Re: (Score:3)
As if this couldn't be done on ANY platform.
Re: (Score:2)
Yes, it could be done on any platform.
However, the different platforms cultivate different sorts of users.
On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.
Compare the effectiveness of this sort of phishing on:
- An iOS account holder.
- An OpenBSD account holder.
Clearly, the Fisher-Price interface coddles and encourages certain types of behavior. You can't really blame that on the developers, or the users. It's
Re: (Score:3)
On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.
Leave the 10 Windows Phone users out of this. Thanks, I'll be here all week. Tip your waitstaff.
Re:Terrible headline (Score:5, Funny)
>Clearly, the Fisher-Price interface coddles and encourages certain types of behavior.
Phisher-Price ?
Re: (Score:2)
As if this couldn't be done on ANY platform.
It cant. There are reasons passwords fields don't popup like that in other operating systems without also doing something only the operating system can. The problem here is the lack of any indicators that this is trusted.
Re: Did you know... (Score:3)
Itâ(TM)s not a real attack unless you can get it onto the phone. Has an app with this dialog code made it past the app review process? Can you pop it up on safari? If so, then a simple change to that one dialog box (like making it a different color to indicate secure) will fix that. If not, then nothing to see here. Just developers playing in a sandbox justifying the app review process.
Re:Terrible headline (Score:4, Insightful)
Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.
Re: (Score:3)
Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.
Again, why is this even news?
Impersonation of a Login Dialog can be done on ANY OS, period. And with stuff like Text Substitutions in a Dialog, pretty much no amount of App-Scanning by %APP_APPROVER%
is going to discover a cleverly-obsfucated Dialog creation function.
What Apple (and others) could POSSIBLY do, is to make a "Credentials" Dialog appear COMPLETELY different from any-other-Dialog, using baked-in UI elements that are simply not accessible to Apps. Kind of like building holograms and micro-
Re:Terrible headline (Score:4, Insightful)
You have no experience with security do you? A trojan can pop-up a login dialog that only vaguely looks like authentication prompt and 9 times out of 10 a user will enter their credentials - on Windows, Mac OS X, whatever. A technically astute user (0.1%) will understand this should not happen in a given circumstance. A normal user ( 99.9% ) will just do what their told ( because their trained to take action X, when they see prompt Y ). Heck, I could probably create a prompt with a Gmail logo in a place totally unrelated to Gmail and I would still get Gmail credentials a high percentage of the time.
That said, iOS does make this worse. They have my biometrics but they still randomly show an iTunes/iCloud prompt, which is stupid.
Re: (Score:2)
You can't really compare this to desktop OSes like Windows or Mac OS.
The security model there is different. All "apps" you run on them are implicitly trusted; there is no security barrier between apps.
You don't need to fake a Gmail login prompt on Windows because you can simply read the memory of the browser or Gmail app and it will gladly give the memory contents including the password to you (if it still has it).
In iOS, each app is supposed to be isolated from each other and from the OS so this is a big(
Re: (Score:2)
Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.
Again, why is this even news?
Impersonation of a Login Dialog can be done on ANY OS, period
NOPE.. This is an old problem, and it is usually fixed or worked around a lot better in other OS.
And yet, no examples. And don't just rely on Ctrl-Alt-Del...
Re: (Score:2)
Try using a non-Crapple device. That is the example.
Re: (Score:2)
Try using a non-Crapple device. That is the example.
EXACTLY the Non-Response I expected!
Way to defend your point, Hater!
Re: (Score:2)
OS dialog impersonation attacks are nothing new [microsoft.com]. I remember there one that popped on a browser that looked like a Fisher-Price Windows XP dialog. The first time I was on a Mac so it was obvious. The second time, it popped up on an XP machine. But the user had set their colors to the olive green XP colors and not the default blue one or it might be convincing to the user.
Re: (Score:2)
The technical term here is "vulnerability" and it is a symptom of a failed security design.
Re:Terrible headline (Score:5, Insightful)
If the platform doesn't give you a way to distinguish, then it's still a platform security issue.
Re: (Score:1)
I agree. I think an authentication dialog box should include something that the app cannot know, such as some sort of user-selected image or phrase. If the dialog has a standard appearance an app can spoof it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Sure. Then an application pops up a authentication screen that doesn't say anything, and lots of users type in their password anyway. I have to type my password not only on Windows login, but when accessing other areas of the intranet. Therefore, I'm trained to enter my username and password on a prompt that doesn't follow the three-finger salute.
Re: (Score:2)
No, because you then have to ensure no app can grab a screenshot. You have to make sure no app can find the stored image / phrase. You have to make sure the user doesn't simply have it (or a copy of it) in their pictures / documents directory named "securitypicture" or "securityphrase", etc.
A secure attention key is the way to go. How many decades have we know this for?
Re: (Score:2)
This is nothing new by any stretch and applies to many platforms.
I remember back in college the computers were all linux terminals. Someone scripted a shell within their shell that let others log in. Equal to running a VM within a VM...and a handy keylogger in the middle.
And...it looked just like every other terminal. You could log in, do your thing, log out. It was slow as crap but...the whole computer system at the time was crap so no one suspected anything. He was eventually caught and expelled, but
Re: (Score:2)
This is nothing new by any stretch and applies to many platforms.
I don't disagree with you there. But it's been ignored too long at this point. With the OS taking the primary role in security these days, it's time to address it.
Re: (Score:2)
One word:
2FA
Re: (Score:2)
One word:
2FA
That's three words
Re: (Score:2)
Or one.
Re: (Score:2)
Actually, none.
Re: (Score:2)
2 -3 - 1 - 0
10
11
01
00
That's grey coded.
I think it counts as a flaw. (Score:4, Insightful)
Honestly I think this does count as a fundamental flaw--but a flaw in the design of the user interface flow used to obtain credentials for iTunes (or for other applications).
It's a flaw for two reasons. First, any process which interrupts your current actions with a modal dialog is a flaw in that if you are not paying attention, you may accidentally tap the accept or cancel button without realizing what you are doing. (This is worse on a desktop environment, where a pop-up may appear while you are typing. If you are a fast touch-typest like I am, you may accidentally press 'enter' or 'space' before realizing what you're typing has gone into the dialog box that just randomly appeared.)
Second, the design is a flaw because it does not give a mechanism by which the context of the dialog box cannot be brought forward and examined for validity. That is, with the iTunes login prompt, all you are permitted to do is to enter the password or not--but you have no way to know that it indeed is coming from iTunes.
I personally would consider fixing this user interface flaw by doing three things.
First, provide a notification mechanism which is clearly visible to the user (such as a flashing bar at the top of the screen), but which does not directly interrupt the user's interaction with the device. If, for some reason a password is necessary before the user can continue his interaction with the device, I would propose a dialog box come up with stops the user interaction with an accept/cancel button but which does not ask for information.
Second, in response to the notification mechanism, I would switch to the application that is asking for the information. (This is easier now that iOS supports multiple concurrent applications and a method for going 'back' in the upper-left corner of the screen.) This gives the user the opportunity to examine the application which is asking for the information. (If this is in response for an iTunes password prompt, I would switch to the Settings app and to the iTunes password screen within settings.)
Third, I would explicitly prohibit (either by changing the OS or through the review process) modal dialogs not belonging to an application from appearing over another application. This includes built-in OS modal dialogs.
All of this is designed to force the user to examine the context in which their sensitive information is being requested, rather than blindly handing it over. Because this sort of interaction is relatively rare, forcing the user to switch to the settings page (rather than just grabbing the password on the go) is not an unreasonable price to pay here.
Re: (Score:3)
As an aside, on iOS we already force applications to switch to the Settings app to turn on or off notifications and location settings; there is no API within iOS which can programmatically change these settings.
Doing the same for iTunes passwords doesn't seem unreasonable to me.
Re:Terrible headline (Score:5, Insightful)
I disagree in this case. Apple has had an annoying problem for a couple of years where it would pop up an anonymous dialog box asking you to log in for no discernible reason.
You should never be prompted to enter your password without some sort of justification and idea of where it's coming from. It used to pop up 6 or 8 times in a row and I'd dutifully enter my password, wondering what the heck was going on. Usually I'd press the cancel button before iOS stopped asking me.
Apple's crafted a system where you reflexively enter your password with no justification, and they could make that stop any time by including information about the process that's asking for it. It really is a problem in iOS that we've been complaining about for years. I'm surprised it took this long for someone to point out that it could be used for phishing.
Re: (Score:2)
I agree with you entirely - but if Apple adds some sort of identifier regarding which process triggered the pop-up prompt, it’s not clear a malicious actor couldn’t fake that part of the pop-up as well.
I wonder whether the whole process should be redesigned somehow.
Re: (Score:2)
I agree with you entirely - but if Apple adds some sort of identifier regarding which process triggered the pop-up prompt, it’s not clear a malicious actor couldn’t fake that part of the pop-up as well.
I wonder whether the whole process should be redesigned somehow.
I don't think that the pop-up prompt that the phishing apps are using is the same as the iOS is using. The way it works, normally, is that a pop-up will be displayed when you attempt to start any of those phishing apps. There are some games in the App Store right now that will force you to enter your password before you could even start the game. Some of these apps have similar pop-up format (but not exactly) right when you load it up as well. So it doesn't matter whether Apple adds some sort of identifier
Re: (Score:2)
No, I saw this even on release versions with no beta profile installed. Same with my partner, who's never installed a dev or beta profile in her life. The frequency has dropped off quite a lot—I probably only see the popup once ever 3 or 4 months now—but for a while, it was a daily irritant.
It *is* a flaw. (Score:2)
It's a *design* flaw though, not the usual half-assed implementation flaw. Yes, there's a social engineering component, but the design of the OS makes the job of the social engineer all too easy.
This attack is like a hybrid Trojan/phishing/MITM attack: your evil app puts up a bogus dialog box that looks like an iOS dialog box asking for Apple credentials. It then harvests this information and transmits it to the bad actor. And it isn't just Apple that's vulnerable to this; Windows does this so often th
Re: (Score:2)
Re: Terrible headline (Score:2)
Re: (Score:3)
Yeah, but all we see is the *s because it's not our password.
When I type my password, **********, you see *s but I see the actual password.
Re: (Score:2)
Re: (Score:2)
If you think the average user will think "Oh, I didn't press ctrl alt delete this must be a fake!!!", you have FAR too much faith in the average user. I don't think the average techie would think about the keypress combo, much less the average user. The techie is more likely to realize that there was no reason for a login screen to come up than think about the lack of a keypress.
Re: (Score:2)
If they see a login screen without having pressed this, they will know it's bogus.
Really? I don't press c-a-d when I click on an unmounted but mapped network drive, and I get a pretty clear request for a username and password.
Re: Terrible headline (Score:2)
Do you want a user's Apple ID password to get access...
Not just the headline; why would i want the password to have access?? Oh, wait; it was just another deficiency in basic English...
Re: (Score:2)
I believe they were pointing out was the users.
Re: (Score:2)
If your browser would let any web site show https://myaccount.google.com/ [google.com] in the address bar with the green padlock, is that not a security flaw?
Not saying this is exactly the same, but if a platform makes it very hard or impossible for the user to detect a phishing attack, it is a security flaw.
So... (Score:3)
Never an Apple user (Score:4, Insightful)
But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password
Re:Never an Apple user (Score:5, Insightful)
Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.
And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."
There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.
Re:Never an Apple user (Score:4, Interesting)
Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.
And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."
There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.
If something is asking for my AppleID, it needs to be displaying the "TouchID" "Dialog", or I'm not playing. And TouchID simply returns a Go/No-Go back to the App.
That's about as secure as it can get.
I do agree, however, that there should be something to distinguish a System-Generated Password Dialog from ANY other Dialog.
Re: (Score:2)
Re: (Score:2)
From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.
The only time that is true is the initial Lock-Screen (wherein it will ask for a PW under certain conditions, e.g. not logging-in for 48 hours, etc.), and I double-dog-dare anyone to do a MITM attack on THAT process! ;-)
Re: (Score:2)
Re: (Score:2)
Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)
AppleID Passwords are asked for only when Making Purchases in the App Store, or iTunes Purchases. And if you have TouchID, you can use that, which is more secure (no authentication info leaves the device).
I avoid iCloud; but the iCloud sign-in Dialog asks for an "iCloud PW", (NOT the AppleID one); so I think they at least CAN be different.
Re: (Score:2)
Re: (Score:2)
Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.
Sounds like someone who's never used iOS. I'm not asked "ALL THE TIME" for my Apple ID especially if I've already set my settings. The times I'm asked for my authentication for my Apple ID, it's for my fingerprint. If I turn it off, it would ask if I purchase something (because my settings are set to this).
And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."
And what determines an authentic password request on Windows or Android? And that request can't be faked?
There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.
Er what? You've confused many things. Ctrl-Alt-Del originally had nothing to do with passwords. The
Re: (Score:2)
Windows NT would ALWAYS require you press Ctrl-Alt-Del before entering your login password.
Um. Not ALWAYS. It could be disabled by settings. And the fact of the matter is that any program could spoof the password dialog visually. For the average NT user, would they automatically remember that the had to press Ctrl-Alt-Delete before entering a password (if that settings was enabled)? Not always.
Re: (Score:2)
Re: (Score:3)
But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password
That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.
It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they
Re: (Score:2)
But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password
That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.
It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they were doing. As a result, users just became conditioned to always allow it. Bad actors who wished to exploit users could count on the fact that the vast majority of users would just OK whatever it was to make the pop-up go away. Think about that for a minute. The goal was to stop unwanted changes to the system. If I double-click an installer then I want to change the system and there is no need to ask me. However, if something that I did not launch myself fires up in the background and wants to change my system, that is not OK. The way Microsoft executed UAC was such that the user could not easily distinguish between the two and the user in haste to make the pop-up go away will allow whatever.
Back to Apple. If the user cannot distinguish between something like the two use cases I have described then there may be a flaw to be addressed. It may also just be a problem with the application ecosystem itself or a manifestation of the user community's predisposition for convenience. In any case, I think that calling it a "fundamental flaw in iOS" is hyperbole.
The iOS experience is NOT filled with UAC-like Permission Challenges. Never has (hopefully) never will.
The typical iOS User will ONLY be challenged in a very few situations:
1. Doing an OS Update.
2. Doing a Backup/Restore of their Device.
3. Downloading an App from the App Store.
4. iTunes Store Purchases/Rentals.
5. Creating/Changing your AppleID login credentials.
There MIGHT be a few others; but they are rare enough that I can't remember ever seeing them personally.
Notice that ALL of those are ONLY initiated
Re: (Score:2)
The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.
If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the
Re: (Score:2)
The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.
If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the real one. The user enters their credentials, and a brief moment later, they are given the same message that would show up if a user happened to lose their network connectivity just after they got the dialog (I don't know what sort of notification this is for the iphone, so I can't say for sure that I know what it would it would be... maybe the app just says it lost connection to the store, or whatnot. I don't know). Anyways, after is has done this exactly once for a given user, it would not ever do it again.
I expect that most users would retry, and at this point the app would proceed normally via a real itunes purchase, while their password was still stored by the app in the first popup.
At some later point, this username and password combo could be sent to some home base by the application, perhaps as part of a request that retrieves high scores for other players, and the user would not necessarily ever know about it unless they were practically being voyeurs for every network packet their device sends and receives.
I'm honestly not sure what it says about my ethical standards that I would have taken the time to even think of this.
Pretty sure that iOS sandboxing would make those kinds of inter-app shenanigans impossible.
Re: (Score:2)
No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.
On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.
So the issue
Re: (Score:2)
No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.
On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.
So the issue here is that by being asked for your password a lot (relatively, at least), then a user won't think twice when asked at any random time and will just enter it.
As I said, fortunately, iOS doesn't ask for your login every whipstitch, either. Only during certain specific APPLE tasks.
See: https://it.slashdot.org/commen... [slashdot.org]
Re: (Score:2)
Yes, it is, because it shouldn't be possible for a trojan to impersonate the system log in screen. That's why Windows boxes make you use ctrl-alt-del--user programs can't catch that key sequence and make it look like you're logging in.
Re: (Score:1)
But this isn't a flaw in IOS.
It's a flaw when the operating system allows an application to trivially impersonate the operating system, and the operating system doesn't have any way for the user to determine that the UI element is part of the operating system and not an application.
Re: (Score:2)
When I get a popup in kde asking for my root password, it doesn't look different than any other prompt that pops up.
Sure, there are ways that apple could change this but as someone mentioned above, I get a standard google password pop up for micro-transactions. I also get one if I use the "Find my Phone" android app.
Really, if the user is entering their password on any prompt - especially one that comes up for no reason - this is a user issue.
When I click on an email to reset my password and it takes me to
DUMB (Score:1)
This article is the stupid.
Avatar or user only knowledge (Score:3, Informative)
This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.
At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.
Re: (Score:2)
This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.
At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.
Apple did the "Permissions" the other way-around. The App can install; but it has to ask Permission when it goes to USE the Service for the first time, and the Permission can ALWAYS be revoked from the Settings "App". I think Android FINALLY changed to a similar security model; but it took 'em long enough!
Try the enterprise environment... (Score:1)
This is everywhere... (Score:3)
Lots of people use their Google account, or their Facebook account, to log into various sites and services. I'm not sure how Facebook works, because I rarely use it. Google makes you type in your password once per month, so Google users are also trained to enter their password more-or-less at random, when asked. It would be dead easy to fake the password dialog.
Users trading of security for convenience, yet again. The stupid thing is that companies encourage this behavior. If some service really wants you to login again, it should ask you to go log in, not present you with some dialog to type in your password.
Re: (Score:2)
Re: (Score:1)
Except with oauth, you should not be entering your credentials anywhere except Google/FB's site. That's part of the point of it.
If you're not on google.com or facebook.com, don't enter the password.
Re: (Score:2)
login: (Score:1)
This is old as stones. We used this ages ago to make fun of unsuspecting uni dinosaurs. Just run a program printing "login:" and you're done.
So ,what's new?
Gonna be tough (Score:2)
Will they install control, alt and delete keys on iPhones?
'Security Researcher' (Score:5, Insightful)
Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?
And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.
Re: (Score:2)
Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?
And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.
Exactly!
Terrible flaw in the human mind (Score:2)
I can simulate a real terror threat and people will believe it! -get a new brain?!
How the fuck is this a flaw in iOS? What a load of rubbish.
Turns out you can call yourself anything (Score:1)
Why title it "Security Researcher" when you clearly submitted a post about yourself? Why not instead title it "I find what I personally think is a fundamental flaw in iOS"?
Keyword: Trained (Score:5, Insightful)
I'm asked for my Apple password at least once a week, and it happens absolutely randomly. I might be doing anything, and suddenly "hey re-authenticate please!". I've absolutely been trained to not question it and just punch the password in so my phone continues to work. This is even worse than the whole "constant UAC prompt trains users to just say yes", because it has absolutely zero context. I don't know what triggered it, I don't know how not putting the password in limits me exactly, I have no way of knowing it's really the system asking for the credential, and I'm not just pressing yes, I'm inputting my golden key. Just bad design all around.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
When he says "password", I think he may mean "passcode". After the passcode is entered to unlock the phone, it will then unlock using only TouchID for a week before requiring the passcode again be entered (unless two days go by without being unlocked). The passcode prompt often appears to be random since you keep unlocking the phone with a finger, then suddenly it says no, give me the passcode instead (often at a rather inconvenient time).
Like you, I don't get Apple/iCloud password prompts unless performing
Re: (Score:2)
Re: (Score:2)
I never get prompted for my iCloud password. I'm prompted for my iTunes/Apple/whatever password at the times I'd expect to be prompted.
I get it... (Score:1)
Social Engineering (Score:2)
Re: (Score:2)
Yeah, no. Whoosh. What we're debating here is social engineering engineering, the kind of engineering a responsible corporation engages in if they're up to speed with the former.
I'm pretty sure this is why Apple wants to include a living retina eye scanner in every phone.
Personally, if I had the option (and an iPhone), I'd set things up so my smart watch's accelerometer first had to detect my left hand performing a sinister Catholic cross before the o
Re: (Score:2)
Your snark suggests that either:
1). You don't think a social engineering attack is a "real" attack; 2). You don't think that social engineering has any meaningful defense, because stupid users, right?
Wrong on both counts.
Your presumptions make you stupid. I merely suggested it is being REPORTED as something new when in fact it's OLD. Now on the other hand, if we were presented with some new means of defending ourselves against social engineering, that would be news.
Research, seriously?? (Score:2)
This exploit is live in the wild (Score:1)
Re: (Score:1)
Re: (Score:3)
There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary.
You said there was no equivalent, and then listed the equivalent.
Re: (Score:3)
Did they? All they said is that they'd be wary if they were asked for their Google Play password. They did not say that the request was ever legitimate. I imagine that if I was asked for the password, the phone would switch over to the Play store app before popping up the dialog - but I also can't remember ever being asked.
Re: (Score:2)
Many apps pop up the Google Play app for authentication. There is 0% chance that it cannot be faked as well as an iOS authentication pop up.
Re: (Score:2)
Is that true? I've had Android phone for 6+ years and can't ever remember a 'system' popup asking for a password. There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary. I'm genuinely curious if this sort of phishing has been tried on Android?
No. On Android, they just pull the stuff out WITHOUT User Intervention...
Re: Not "fundamental" (Score:2)
Re: (Score:2)
You need to learn the history of iCloud and the sipping of ALL your data without user knowledge before you go throwing stones from your fucking glass house.
Another Apple story where your butthurt is visible for everyone to see.
Citation, please.
And was this an early version of iCloud, Long-since fixed?
Re: (Score:2)
Well not over 30 years ago, Ctrl-Alt-Del as a Secure Attention Key until 1994 in Windows NT. Other than that it was a reboot sequence.
But the concept has been out of fashion for years, but warrants a reminder of the value of something the OS can hook and unconditionally react to to discourage OS dialog phishing.