Hacker News new | past | comments | ask | show | jobs | submit login

This sounds like a technology enabled rare "phishing" scenario rather than major security vulnerability.

It requires tricking the end-user in many different steps. It is not major by any means.

1. The user must have motivation to download the malicious app.

2. If it is a copy of other app, it must trick the end-user to believe that it is actually original. Chance for copy is low due to App Store policies.

3. There must be a valid reason for the end-user that the login to Apple is necessary.

4. The end-user must believe that the Sign in alert originates from the system

5. The end-user must give permissions to use Face ID or Touch ID.

6. The end-user must not wonder about double-login, since I believe that it must happen before Face ID can actually be used for logging in?

> 2. There is no security measure to confirm that Sign in Apple ID with Face ID is called from within a trusted app.

It is up to the end-user and App store to decide, unfortunately. API must be accessible for Apps to be able to use it.

> 3. There is no security measure when you change 2FA information, even you aready open AppleID's 2FA.

That is the problem for all root level security features.




Yeah, this is because the user has been phished and compromised the AppleID password.

But The most important issue in this incident is that a user modifying 2FA information on an AppleID account does not require confirmation of the 2FA. I think it's a major program flow security vulnerability. The 2FA should be the last security measure for Apple ID, even if the Apple ID password has been compromised. In most sence, people who try to steal can't skip the 2FA, util they find the way to skip 2FA: sign in at a trusted device of the Apple ID.

> 1. The user must have motivation to download the malicious app.

In fact, the App of this case is available in AppStore. The developer of the App has a server to change App appearance, and pass the Appstore review.

> 4. The end-user must believe that the Sign in alert originates from the system

Yes, the Sign in alert is originates from the system. You can view this picture, and think about whether you realize you're signing into your Apple ID in the first place. This is the picture: https://i.imgur.com/cexSIbrl.jpg




The deadline for YC's W25 batch is 8pm PT tonight. Go for it!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: