New ask Hacker News story: Major security vulnerability of AppleID's 2FA
Major security vulnerability of AppleID's 2FA
3 by uyloal | 0 comments on Hacker News.
original link: https://ift.tt/FEmdD82 I can't make original link to url feild, so put it into content. The original link requires proficiency in Chinese language to comprehend. If an application conceals a webview behind a login or other interface, and the webview opens appleid.apple.com, upon tapping the login button, the application can execute JavaScript to simulate clicking the login button of appleid.apple.com. If one fails to discern the disparity between "Sign in Apple ID" and "Sign in with Apple," the application can execute JavaScript to pilfer cookies associated with appleid.apple.com. Following the aforementioned steps, the application will present an alert resembling "Sign in to iTunes Store." As you are aware, an app-generated "Sign in to iTunes Store" alert bears no distinction from a system-generated one. The sole means to verify whether the alert originates from the system is attempting to return to the home screen. If this goes unnoticed, the application will acquire your Apple ID password. This constitutes the primary concern, because logging into appleid.apple.com on a trusted device doesn't require 2FA, it only requires Face ID or Touch ID, whether you're logging in using Safari or WebView. The application can exploit JavaScript to modify your phone number used for two-factor authentication, thereby get the control of your Apple ID, enabling the attacker to use it for credit card theft. To summarize why this is happening: 1. Benign iOS prompts are indistinguishable from those generated by malicious apps. https://ift.tt/rMVyBTx 2. There is no security measure to confirm that Sign in Apple ID with Face ID is called from within a trusted app. 3. There is no security measure when you change 2FA information, even you aready open AppleID's 2FA. How do you reproduce it? 1. Open appleid.apple.com in App that uses webveiw to open links. 2. Tap the login button of appleid.apple.com, you will see Sign in Apple ID alert. 3. Confirm sign with Face ID or Touch ID, and try to change your 2FA phone number. At this step, you should notice that you don't need to confirm 2FA to change your 2FA phone number, you just need a password to change it!
3 by uyloal | 0 comments on Hacker News.
original link: https://ift.tt/FEmdD82 I can't make original link to url feild, so put it into content. The original link requires proficiency in Chinese language to comprehend. If an application conceals a webview behind a login or other interface, and the webview opens appleid.apple.com, upon tapping the login button, the application can execute JavaScript to simulate clicking the login button of appleid.apple.com. If one fails to discern the disparity between "Sign in Apple ID" and "Sign in with Apple," the application can execute JavaScript to pilfer cookies associated with appleid.apple.com. Following the aforementioned steps, the application will present an alert resembling "Sign in to iTunes Store." As you are aware, an app-generated "Sign in to iTunes Store" alert bears no distinction from a system-generated one. The sole means to verify whether the alert originates from the system is attempting to return to the home screen. If this goes unnoticed, the application will acquire your Apple ID password. This constitutes the primary concern, because logging into appleid.apple.com on a trusted device doesn't require 2FA, it only requires Face ID or Touch ID, whether you're logging in using Safari or WebView. The application can exploit JavaScript to modify your phone number used for two-factor authentication, thereby get the control of your Apple ID, enabling the attacker to use it for credit card theft. To summarize why this is happening: 1. Benign iOS prompts are indistinguishable from those generated by malicious apps. https://ift.tt/rMVyBTx 2. There is no security measure to confirm that Sign in Apple ID with Face ID is called from within a trusted app. 3. There is no security measure when you change 2FA information, even you aready open AppleID's 2FA. How do you reproduce it? 1. Open appleid.apple.com in App that uses webveiw to open links. 2. Tap the login button of appleid.apple.com, you will see Sign in Apple ID alert. 3. Confirm sign with Face ID or Touch ID, and try to change your 2FA phone number. At this step, you should notice that you don't need to confirm 2FA to change your 2FA phone number, you just need a password to change it!
Comments
Post a Comment