
Apple IdentityServices: What if anyone can be you? - 0x0
https://medium.com/@khaost/what-if-anyone-can-be-you-973a2267cdda
======
rodorgas
It seems that you can’t only send messages, but intercept messages received.
It can grant attacker access to all of your services that verify your identity
with SMS code.

------
st3fan
This article can also be called “Burning Bridges”

~~~
draw_down
Sounds like they were burnt already. I can’t fully grasp what is happening
here except that messages can be sent in a way they shouldn’t be, but it seems
not great. And of course their recent track record is, shall we say, not great
either.

Also, personally, while I appreciate the reasons for disclosing privately
first (“responsible disclosure” is a bit pejorative for my taste), I don’t
think it should be expected and I don’t think companies should retaliate or
condemn those who opt not to do it. They’re the ones who made the insecure
software and it’s important to keep that fact front and center. So if that is
what has happened I am not keen to blame the author.

I’m not willing to play “poor Apple”, again and especially, after their recent
security issues. Things seem to have really fallen apart over there, and
getting bitchy with this guy isn’t going to do anything to help it.

~~~
0x0
The way I read this is: 1. iOS and macOS allows you to type out an SMS message
on your mac, which is delivered via the same mechanisms and channels as
regular iMessages to your phone, causing it to relay and send out the SMS on
behalf of your mac; 2. it turns out anyone on the internet can send you an
iMessage formatted as if it was an SMS relay request sent by your mac to your
phone, and your phone will relay SMS out to a third (fourth?) party - and
nothing checks to see if the relay request actually came from your mac.

