Apple, Amazon's Weak Security Allows Huge Hack of Gizmodo Reporter
August 7, 2012 12:28 PM
comment(s) - last by
Circumventing the writer's password proved easy thanks to some help from Apple
According to Kaspersky Labs, Apple, Inc. (
ten years behind Microsoft
) in security. Mat Honan, a former
editor and senior
reporter found that out the hard way when a hacker took over the official
Twitter feed and Mr. Honan's other accounts to spew foul racist and offensive messages onto the internet.
The culprit was a combination of Apple and Amazon.com, Inc.'s (
) security procedures. Like many journalists, Mr. Honan was a fan of Apple's popular gadgets. And like many he shopped on Amazon. But that popular commerce portal, Amazon, combined with those Apple gadgets'
ubiquitous online interface -- iCloud
-- proved the key to the unfortunate intrusion. The real Mat Honan writes, "[The hacker] got in via Apple tech support and some clever social engineering that let them bypass security questions. "
Via the iCloud (*.mac) email account, the hackers gained access to his Gmail and Twitter via common password recovery interfaces. They also locked him out of his iCloud account, changing his password.
By hacking Apple's iCloud and Amazon's commerce portal, a malicious user gained access to an award-winning journalist's accounts. [Image Source: 9 to 5 Mac]
At first Mr. Honan suspected his "7 digit alphanumeric" was cracked, given its shorter length. However, he was puzzled because "I didn’t use elsewhere."
In the chaos that ensued Mr. Honan saw his MacBook Air, iPhone, and iPad remote wiped -- a glaring dark-side of these features that were designed to
Apple users. The "Genius Bar" is currently working with him to see what data is recoverable, and in the meant time he's managed to re-secure his accounts.
Aside from the newsworthiness of such a high profile, award-winning tech journalist being victimized by a malicious hacker, the story of Mr. Honan's misfortune also raises more serious questions regarding Apple and Amazon's security.
The hack of prize-winning journalist Mat Honan raises tough questions for Apple and Amazon.
[Image Source: Ibabuzz]
Based on the account by both the hacker who attacked him and Apple, Mr. Honan says virtually any iCloud user is at risk of having their account hijacked via a quick and dirty social engineering scheme.
He writes in a followup:
Via AppleCare, I was able to confirm the hacker’s account of how he got access to my account. I have an email in to Tim Cook and Apple PR, and want to give them a chance to respond (and make changes). I want to give the company a little more time to look at its internal processes, but should be as simple as a policy change. So far, I haven’t received any acknowledgement from Apple corporate. I did, however, get an urgent call from AppleCare ten minutes after emailing Mr. Cook, informing me that my situation had been escalated and there is now only one person at Apple who can make changes to my account. So I gather corporate is aware of what happened and looking into how to most effectively respond to make sure this doesn’t happen again.
At least, I hope that’s what’s happening.
In a post yesterday on
, he provides more information, explaining Amazon.com, Inc. (
) is also to blame, by allowing unwanted account access through a bizarre loophole. Mr. Honan writes in
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
The key gaff on Amazon's part appears to be to allow you to add a credit card to your account without verification at your original email. Hopefully Amazon fixes this in a timely manner.
As for Apple, in many ways its flaw is worse, as virtually any compromised commerce portal provides a partial (last 4-digit) credit card number. That Apple would allow this as identity verification is troubling, to say the least.
Apple has struggled over the last year with security. In one extreme instance it was shown to be
saving some user passwords in plaintext
, an issue that took it months to remedy. The company, whose value is largely built on an impression of
superiority over conventional personal computers
, has largely
refused to publicly acknowledge
these issues for fear of damaging its prized image.
Ultimately Mr. Honan would discover that the hacker involved -- who called themself "Phobia" -- didn't target him because he was a high profile writer. He targeted him because he has a coveted 3-character Twitter handle (@mat). The rest was, as hackers say "gravy" -- and thanks to Amazon and Apple there was plenty of gravy to go around.
This article is over a month old, voting and posting comments is disabled
RE: Ahh, you sheeples
8/7/2012 7:43:23 PM
But blaming Apple for all this is a bit like blaming any other company if someone stole your wallet and was able to perform this same "hack". If they have your valid information, and that information is the only means of proving you are who you claim to be then this is basically identity theft isn't it?
Only difference here is Phobia didn't lift a wallet, he went on facebook, twitter, personal websites, etc and used that information to exploit a loophole in Amazon's system to get the last bit of information. But someone who did lift your wallet could have done the same thing in half the time.
If someone got all the information they needed about you to perform the same type of identity theft, would you blame Google? As far as they know, you just changed your password and then made changes to your account. Are Microsoft actively monitoring your computer and Google your Android phone? Would they step in because they think something odd is happening? If not, you are just as vulnerable to identity theft if someone REALLY wants to target you. Even if you shun yourself from the norms of social media, you are still posting here. Someone could just as easily hack into dailytech and get some clues that would lead them closer and closer until they get the information they really wanted. Welcome to the sheeple, you should have kept your mouth shut.
RE: Ahh, you sheeples
8/8/2012 3:29:22 AM
I think the point was that Apple used the last 4 digits of the CC as a security check. As far as I remember these are even shown on the advice slips you get from the ATM? They are definitely shown on most websites. If my bank account was hacked in this way I would not be blaming Amazon.
Apart from social engineering they didn't have a great deal of info on the guy? a user name, real name and address? not quite identity theft I think.
"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone
Apple to Update iTunes with iCloud Integration, Music Sharing
June 28, 2012, 5:07 PM
Apple Takes 3 Months But Finally Stops Printing Passwords in Plaintext
May 9, 2012, 5:20 PM
Kaspersky Labs: Apple's Security 10 Years Behind Microsoft
April 26, 2012, 7:39 AM
Apple Orders Technicians to Feign Ignorance About Mac Malware
May 20, 2011, 12:54 PM
Ad Wars: Apple Fights Back With Four "Get a Mac" Commercials
April 20, 2009, 9:21 AM
iLate: CEO Tim Cook Says Apple Watch Will Ship in April
January 28, 2015, 3:03 PM
Amazon's Fire Sale on Fire Phone Steps up in UK w/ 1-Day Sale @ $150 Unlocked
January 28, 2015, 11:53 AM
Apple Sees Record Profit of $18 Billion, Sells 74.5 Million iPhones in Q1 FY2015
January 27, 2015, 6:01 PM
Apple Might Miss High-End of Analyst Estimates, Microsoft Earnings Hint
January 27, 2015, 3:14 PM
Microsoft Smartphone Sales Up 28 Percent as Lumia Budget Models Gain Ground
January 27, 2015, 8:30 AM
Quick Note: Special 20th Anniversary PlayStation 4 Raises $128,000 for Charity
January 26, 2015, 4:14 PM
Most Popular Articles
Under the Hood: How DirectX 11.3 and 12 Will Supercharge Windows 10 Gaming
January 23, 2015, 12:34 PM
2016 Cadillac CTS-V Packs 640 hp Punch with 200 mph Reach
January 23, 2015, 3:25 PM
Microsoft Shows Off Latest Windows 10 Build, Preps it for Next Week Release
January 21, 2015, 2:57 PM
Google Fixes Homophobic "Bug" in its Translator
January 27, 2015, 2:31 PM
Will Google Become America's Fifth Major Carrier?
January 22, 2015, 12:42 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information