Major security vulnerability of AppleID's 2FA

[uyloal]

original link: https://www.v2ex.com/t/959041 I can't make original link to url feild, so put it into content. The original link requires proficiency in Chinese language to comprehend.

If an application conceals a webview behind a login or other interface, and the webview opens appleid.apple.com, upon tapping the login button, the application can execute JavaScript to simulate clicking the login button of appleid.apple.com. If one fails to discern the disparity between "Sign in Apple ID" and "Sign in with Apple," the application can execute JavaScript to pilfer cookies associated with appleid.apple.com.

Following the aforementioned steps, the application will present an alert resembling "Sign in to iTunes Store." As you are aware, an app-generated "Sign in to iTunes Store" alert bears no distinction from a system-generated one. The sole means to verify whether the alert originates from the system is attempting to return to the home screen. If this goes unnoticed, the application will acquire your Apple ID password. This constitutes the primary concern, because logging into appleid.apple.com on a trusted device doesn't require 2FA, it only requires Face ID or Touch ID, whether you're logging in using Safari or WebView. The application can exploit JavaScript to modify your phone number used for two-factor authentication, thereby get the control of your Apple ID, enabling the attacker to use it for credit card theft.

To summarize why this is happening:

1. Benign iOS prompts are indistinguishable from those generated by malicious apps. https://arstechnica.com/information-technology/2017/10/beware-of-sketchy-ios-popups-that-want-your-apple-id/

2. There is no security measure to confirm that Sign in Apple ID with Face ID is called from within a trusted app.

3. There is no security measure when you change 2FA information, even you aready open AppleID's 2FA.

How do you reproduce it? 1. Open appleid.apple.com in App that uses webveiw to open links.

2. Tap the login button of appleid.apple.com, you will see Sign in Apple ID alert.

3. Confirm sign with Face ID or Touch ID, and try to change your 2FA phone number. At this step, you should notice that you don't need to confirm 2FA to change your 2FA phone number, you just need a password to change it!

[nicce]

This sounds like a technology enabled rare "phishing" scenario rather than major security vulnerability.

It requires tricking the end-user in many different steps. It is not major by any means.

1. The user must have motivation to download the malicious app.

2. If it is a copy of other app, it must trick the end-user to believe that it is actually original. Chance for copy is low due to App Store policies.

3. There must be a valid reason for the end-user that the login to Apple is necessary.

4. The end-user must believe that the Sign in alert originates from the system

5. The end-user must give permissions to use Face ID or Touch ID.

6. The end-user must not wonder about double-login, since I believe that it must happen before Face ID can actually be used for logging in?

> 2. There is no security measure to confirm that Sign in Apple ID with Face ID is called from within a trusted app.

It is up to the end-user and App store to decide, unfortunately. API must be accessible for Apps to be able to use it.

> 3. There is no security measure when you change 2FA information, even you aready open AppleID's 2FA.

That is the problem for all root level security features.

[uyloal]

Yeah, this is because the user has been phished and compromised the AppleID password.

But The most important issue in this incident is that a user modifying 2FA information on an AppleID account does not require confirmation of the 2FA. I think it's a major program flow security vulnerability. The 2FA should be the last security measure for Apple ID, even if the Apple ID password has been compromised. In most sence, people who try to steal can't skip the 2FA, util they find the way to skip 2FA: sign in at a trusted device of the Apple ID.

> 1. The user must have motivation to download the malicious app.

In fact, the App of this case is available in AppStore. The developer of the App has a server to change App appearance, and pass the Appstore review.

> 4. The end-user must believe that the Sign in alert originates from the system

Yes, the Sign in alert is originates from the system. You can view this picture, and think about whether you realize you're signing into your Apple ID in the first place. This is the picture: https://i.imgur.com/cexSIbrl.jpg

[Senorsen]

This is insane, and what suprises me most is the Apple's customer service according to the original post - they barely know nothing, denied their customer's resonable request, and shows no respect nor professional attitude. They just say 'no' to things they don't understand or believe.

[ssss11]

As a side note - I’ve found dealing with customer support of any tech business of moderate size and above exactly like this. They have a script and know nothing. The only way to get issues raised and resolved is to know someone (be known as an expert and not some grunt) or be calling from a large customer. sigh

[ThePowerOfFuet]

Email this to product-security@apple.com.