How attackers are using Apple devices’ password reset exploit to target users into phishing
Recently, some Apple users were targeted by phishing attacks that exploit a potential vulnerability in Apple’s password reset system. According to KrebsOnSecurity, a cyber security news site, the attacks involve flooding the targeted devices with numerous pop-up messages that prompt the user to approve a password change. Some people also received fake calls, appearing to be from Apple’s actual support team, asking for a special code.
Users who faced this attack shared their experiences with KrebsOnSecurity. They reported that the constant password reset alerts prevented them from using their iPhones, MacBooks, and Apple Watches until each message was dismissed, which could amount to up to 100 messages.
After declining all the reset requests, the targets received a call that appeared to be from Apple’s support number. The scammers, who possibly obtained the victim’s personal information from people-search websites, attempted to obtain the one-time reset code that Apple sent. If the victim provided the code, the attackers would take control of the account, change the password, and erase all data on the user’s devices.
An iPhone user also faced the same issue on a new iPhone and iCloud account after he had changed his passwords. He believes the attackers only needed the phone number associated with the Apple ID to make the notifications appear.
Another user, who was also a victim of the attack, said that he was awakened in the middle of the night by an Apple Watch notification that nearly caused him to accidentally authorise the reset request.
Apple has yet to comment on the attacks. However, Kishan Bagaria, a software engineer who identified a similar problem in 2019, believes that Apple’s password reset system may have an issue with rate limiting, as it may not be able to restrict the number of alerts sent within a short period.
Apple users should be cautious of unexpected password reset notifications or support calls. Enabling an Apple Recovery Key may help, although it can be troublesome. The most critical step is never to provide one-time passcodes to anyone, including those claiming to be from Apple or other companies, since legitimate support personnel will never solicit this information.
It is suggested to enable multi-factor authentication systems that can withstand the “MFA fatigue” tactics that cybercriminals are increasingly using. For the time being, remaining vigilant and suspicious is the best way to avoid these new phishing attempts aimed at Apple users.