The ability to reset your iCloud password with a keycode is a security flaw

16 pointsgkiely3y ago6 comments

I just wanted to share this in the hopes that someone at Apple sees this and to make others aware of the scam.

A friend of mine over the weekend mistakenly tried to help someone and they saw him enter his passcode.

The thieves took his phone and then shortly after his iCloud password was reset, making it impossible to access the phone or disable the phone via find my phone.

The perps then had access to all his accounts, started making fraudulent charges and likely accessing his data.

This was a huge privacy breach for him and apple is unable to do anything other than reset the iCloud password, which takes 24 hours. I am unsure if this will rectify the issue.

My friend made a mistake but nonetheless this could've been prevented by a simple security question or 2 factor authorization from another device.

I've included a number of other occurrences of this happening below.

I call on anyone who works at Apple to raise this issue up the chain of command.

And also to reaffirm the advice to never give your phone to a stranger, which I unfortunately had not given to this friend.

People who have had this issue:

https://www.reddit.com/r/applehelp/comments/t7hbxm/iphone_stolen_and_icloud_password_and_backup/

https://www.reddit.com/r/ios/comments/womh4g/iphone_stolen_icloud_password_and_trusted_phone/

https://www.reddit.com/r/ios/comments/ob19kv/iphone_stolen_apple_id_hacked_and_password/

https://www.reddit.com/r/applehelp/comments/wquqr8/my_iphone_was_stolen_and_it_seems_my_icloud/

https://www.reddit.com/r/ios/comments/pp0dua/iphone_stolen_thieves_changed_my_apple_id/

https://www.reddit.com/r/applehelp/comments/wrjif9/iphone_stolen_with_passcode_and_apple_id_password/

6 comments

warning263y ago

Definitely a good reminder to use a secure passcode for your phone. (And to definitely avoid the 4-digit pincode.)

I suppose realistically since your phone is almost always the "second factor" in 2FA, if your phone is stolen+compromised you're completely screwed. Do there exist 2FA solutions that don't become 1FA if it's just your phone?

gkielyOP3y ago

Agreed, I updated my passcode to an alphanumeric after this happened.

I am not aware of such solutions but would be interested to learn more if there are.

gkielyOP3y ago

After much digging, here is a way to prevent account changes from the device.

Steps:

1. Settings > Screen time > Use screen time pass code > Enter a different passcode to your main one that you will remember

2. Settings > Screen time > Content & Privacy Restrictions > Scroll down to Account changes > Don’t allow

This prevents account changes from the device, unless you have the second passcode.

This would not prevent a thief who was aware of this (they could attempt to disable screen time then request the second passcode), but it would prevent a pickpocket who happens to see your passcode being entered from changing your iCloud account details.

BjoernKW3y ago

That's a clever hack. Thanks for finding that out and for sharing this approach.

It's not an optimal solution, but until Apple themselves come up with something better it's at least sufficient to ward off potentially severe consequences from petty crime or crimes of opportunity.

ojkelly3y ago

Reading through this and those links this seems like a significantly harmful vulnerability that’s being actively exploited.

I can’t imagine many people who _wouldn’t_ give up their phones passcode at gunpoint.

What options do we have to protect against this?

If your life is threatened a dummy passcode is likely to aggravate and make things worse.

Would MDM enrolment help here?

What are the gains here for the thieves? Hardware that can be sold when unlocked, which needs iCloud changed — which the OP points out can be changed with just the device passcode.

Apps with FaceID (ie maybe your bank) would be safe, but they could also just force you to look at your phone.

Could there be a default 1 week countdown for removing activation lock? And automatically enable and broadcast via find my iPhone during that time?

BjoernKW3y ago

The particular attack vector mentioned in the original post could be mitigated by not allowing users to change their iCloud password from their unlocked mobile devices without either additional Face ID verification or entering their current iCloud password.

Furthermore, the ability to log yourself out from all other devices seems more harmful than useful, too. Other than all of my other devices having been stolen, what's the potential use case here? If my iCloud password has been compromised but I still have a device that password is currently used on, why wouldn't I be want to still be logged in on that device for the time being?

Other than that, some alternative way of remotely wiping and bricking a stolen could be helpful and might work as a deterrent for thieves, too. For example, similar to how 1Password does this, Apple could allow their iCloud users to generate a master key that would authenticate in such a situation and authorize them to carry out such actions.

j / k navigate · click thread line to collapse