or Connect
AppleInsider › Forums › Mobile › iCloud › Users raise questions about Apple's security after iCloud hacks
New Posts  All Forums:Forum Nav:

Users raise questions about Apple's security after iCloud hacks

post #1 of 45
Thread Starter 
A small number of iCloud accounts reportedly protected by secure, randomly generated passwords have been compromised, prompting speculation by users that a security breach may have occurred on Apple's servers.

The details come from a thread on the Apple Support Communities forum, where users of Apple's iCloud service have voiced concern that their accounts were compromised. One of the affected people, with the username "solargaze," said their Me.com e-mail address was hacked into and began sending out spam on Wednesday.

"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.

"I'm worried that Apple's iCloud servers themselves got hacked, as I see there are a few other people on the forums who are reporting that their account was used for spam in the last few hours."

A second thread was also started this week by another user experiencing similar issues. The threads have a relatively small number of replies and reader views, suggesting any possible coordinated hacking of iCloud accounts was not widespread.

Users affected by the apparent string of hacks say they found a series of spam e-mails in the "Sent" folder of their iCloud e-mail account. The advertisements were sent to users' contacts that were synced with iCloud, and were related to "making money on your home computer."

"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."

iCloud


That person said the spam messages were sent out to contacts that were only synced with iCloud. Contacts stored with Microsoft Outlook and Mozilla Thunderbird did not receive any spam from their account.

Most of the users on the thread said they do not use their iCloud or MobileMe e-mail addresses. They discovered their account had been compromised after they received text messages and e-mails from friends notifying them that their accounts were sending out spam e-mails.

One user, with the handle "?ivindfromoslo," said they spoke with an Apple support representative who assisted them in removing all of their contacts from iCloud. They said they hadn't logged on to the iCloud.com website in six months and never used their Me.com e-mail address.

"I suspect that the entire issue is caused by some weakness on (Apple's) end," they wrote, "either in the icloud.com logon part or in the iOS software (one might be able to extract iCloud logon info with a specifically crafted website or something, who knows)."
post #2 of 45
While it's still possible that even complex passwords were discovered through alternate methods It's hard to say that is more likely than Apple's iCloud servers being compromised. I'd expect Apple to have used the same security methods that have kept iTunes servers secure over the years and I wonder why it seems to be limited to so few users if it's an account server hack which should open up millions of potential user accounts.


A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #3 of 45
Quote:
"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."

The fact that this person is an IT professional with 10 years experience does not add validity to his statement. I've known plenty of IT professionals - some smart, some not as smart. Why should we just "trust him?" Maybe a coworker watched him type his password. Or someone was looking over his shoulder while he typed on his iOS device (where the last character is shown as you type it) Maybe someone put a key logger on his computer at his job.

 

post #4 of 45

Very curious circumstances ("I never use my iCloud account") with a complete denial of mea culpa by all posters.  Several of the posters are convinced their passwords are nigh impenetrable (randomly generated, alphanumeric and special characters with caps and lower case letters) and they are not "n00bs" who call tech support.

 

I believe if iCloud were hacked we would see wide spread instances of spam rather than ten posters.  While there are likely ten or one hundred times more people who aren't posting about the spam that is still a drop in the bucket of iCloud users.

post #5 of 45
Quote:
Originally Posted by Gustav View Post

Maybe someone put a key logger on his computer at his job.

Or he logged into a machine that was compromised.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #6 of 45

This guy being a Pro means that he knows that it's still possible to brute force a random password. That was something like less than 100 out of millions of users actually shows that Apple's security is tight and someone did just get lucky with the randomizers. 

 

I know a white hat that tried this kind of stunt just to prove to a client that it was possible. He had his script drop all passwords that had words, was less than 12 characters, didn't have at least one number and one symbol. He also checked all number sequences against the zip code listings in the country and removed any password with that sequence. Took something like 5 days but the clients 'totally impossible to break' password was broken. 

 

This particular white hat actually said that most of the time when he hacks a password for a client to show security issues it's not the password that gets him in, it's the security question. As the WH put it, the best password in the world doesn't mean jack if your question is "who is Sir Fluffy Barks A Lot" and he can go to Facebook, search the same email and there is your dog in bold living color all over the page. And he's seen it. A lot. Even with corporate clients. They have where they work on their page so even though the emails are different he can still match it up and 99% of the time the answer to the question is there 

 

It's also possible that these folks are just lying about how good their passwords were or that they got phished and are too embarrassed to admit it so they are blaming Apple. Even IT Pros can be fooled because their arrogance makes them sloppy

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #7 of 45
Quote:
Originally Posted by SolipsismX View Post

A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.

 

I don't consider that "off topic" and I agree entirely.  In fact, everyone please submit a feature request here.  You can just copy and paste SolipsismX's text.

 

If you would like to make my day, you can copy and paste the following text into another feature request for iTunes Security Info here:

 

Greetings,

 
I beseech you to add or change questions in iTunes security.  While I applaud the additional scrutiny, the questions are too restrictive and quite honestly I can't remember the answers to most of the questions.   Unfortunately, since the questions are too restrictive I am unable to purchase any new content from Apple until this is resolved.
 
 
Here are examples of questions which Apple is asking:
 
What was the first care you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
 
Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?
 
Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
 
 
Many of these questions contradict or are contraindicated by good security question principles:
 

The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.

Bad examples:

  • What is your driver's license number? (I haven't memorized mine, have you?)

  • Car registration number (this may be easy for others to find on the web anyway)

But don't use questions that go back to childhood, or for that matter last year for someone like me.

Bad examples:

  • What was the name of your first pet?

  • What was your first car, favorite elementary school teacher, first kiss, etc.

 

 

Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:

 

In which city, county and state were you born?

What is your maternal grandmother's maiden name?

 

 

Thank you very much for your time and consideration,

 

"MacBook Pro"

post #8 of 45

Interesting that most of hacked people claim to be IT. Why I am not feeling better about IT people now?!

Quote:
Originally Posted by SolipsismX View Post

A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.

 

It was possible to see your devices with MobileMe. I don't know why you can't with iCloud. I think this is a basic feature that needs to be added. If you write a feature request for this we can then copy and paste it into Apple feedback form.

post #9 of 45
Quote:
Originally Posted by Gustav View Post

The fact that this person is an IT professional with 10 years experience does not add validity to his statement. I've known plenty of IT professionals - some smart, some not as smart. Why should we just "trust him?" Maybe a coworker watched him type his password. Or someone was looking over his shoulder while he typed on his iOS device (where the last character is shown as you type it) Maybe someone put a key logger on his computer at his job.

 

 

Quote:
Originally Posted by SolipsismX View Post


Or he logged into a machine that was compromised.

 

Or someone is capturing his wireless network traffic.

Or someone hacked the random password generator (and those 10 posters all using the same application).

Or someone really did use a brute force attack on their password.

 

 

It took me about 30 seconds to figure out a "crack" for iCloud if I have someone's Apple ID and considering the ubiquity of iCloud you can probably just try any name at iCloud.com with some small chance of success.  Unfortunately, iCloud is very vulnerable to social hacks apparently (based on the 30 second "crack").  I should add that I am no Charlie Miller either so this is something any computer savvy person could discover (disclaimer: I do have formal education in network administration).

post #10 of 45
Quote:
Originally Posted by NasserAE View Post

It was possible to see your devices with MobileMe. I don't know why you can't with iCloud. I think this is a basic feature that needs to be added. If you write a feature request for this we can then copy and paste it into Apple feedback form.

 

Haha.  See the post immediately preceding yours.  I just copied and pasted his text verbatim.

post #11 of 45

As for security questions, I always answer them with nonsensical answers.

 

What was your mother's maiden name?

Traffic light is green.

 

What is your pet's name?

Do you like yellow?

 

Where were you born?

I ate a pear.

 

And answer them differently for each site. Store them in an encrypted file or write them down and store the paper securely and you're good.

post #12 of 45

If these are randomly generated passwords that are too complex to remember, and only iCloud contacts are being spammed, then it's pretty obvious these people are using password managers, and most likely that is where the security breach lies.  They probably have some kind of phishing derived malware on their machines.  At least one of them is a Windows based user.  I wonder if they all are.

post #13 of 45
Quote:
Originally Posted by NasserAE View Post

Interesting that most of hacked people claim to be IT. Why I am not feeling better about IT people now?!

 

 

Does this fact suggest that IT people are more susceptible to being hacked or they are more likely to detect the intrusion? Causation vs correlation...

post #14 of 45
^ No, it suggests people lie their a$$es off when posting online to make their issue seem more serious than it is.
post #15 of 45

Did these people use the same "uncrackable" password on yahoo.com, hotmail.com or elsewhere? If so, a breach of security at potentially any of these sites could have led to their me.com account being compromised.

 

I avoid iCloud (and Goople) privacy and security issues by using Mac OS X Server, by the way.  e-mail, caldav, carddav.

post #16 of 45

This is deeply worrying news for consumers who are actively living in the iCloud.

post #17 of 45
Quote:
Originally Posted by eksodos View Post
This is deeply worrying news for anyone dumb enough to use the same password everywhere they go and exhibit unsafe logging practices.

 

You mean.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #18 of 45

I don't understand why people think it's so impossible to crack a password. It's possible and it happens a lot. My friend with a yahoo mail account sent me spam the other day. I was even hacked some time ago when I was using yahoo mail. That password was pretty damn good, I thought. It happens everywhere. With a 20 million people using something, 10 are bound to get hacked sooner or later. When there are 50,000 getting hacked, well then I'll care about it....

post #19 of 45

I like how everyone initially points the finger at the service provider when they have been hacked.  This is right before they discover one or more of the following:

 

1.  Their password was their name/address/dob/password/password00/passw0rd  etc

2.  Their PC in infected or they logged onto an infected machine which grabbed their stored passwords.

3.  They logged onto a phishing site.

4.  They use their icloud account email address and same password for Facebook etc and it was hacked from there.  This happens A LOT!!

 

The weakest link in this is the user and then to cover up their stupidness they blame the system.

post #20 of 45
Quote:
Originally Posted by AppleInsider View Post

I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters

 

lol, and then he goes on to say he has IT experience. I guess he never heard of key loggers, malware, password hashing, social engineering, etc, etc, etc, in all that time eh? 

post #21 of 45
How about SkoobieHueyDeweyMickyDaisyGoofyYogeyBoboSacramento? ?

Eight characters and a capital!

/blonde
A big heart is commendable, an enlarged heart is a medical condition.
Reply
A big heart is commendable, an enlarged heart is a medical condition.
Reply
post #22 of 45
^ Booboo...
A big heart is commendable, an enlarged heart is a medical condition.
Reply
A big heart is commendable, an enlarged heart is a medical condition.
Reply
post #23 of 45

I'd love if websites would let me use non-Latin characters for my passwords.

 

I mean come on! No one would associate a password made of Japanese wordplay with an American who hasn't been anywhere foreign but Ireland and Canada!

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #24 of 45

When I reluctantly signed up for iCloud in order to preserve my mac.com email address, I disabled Address Book syncing altogether because of security concerns. If vandals can hack Bank of America, they can certainly hack Apple. I do keep a copy of my Address Book on my iPhone and iPad, but I sync them the old-fashioned way: via iTunes. It's a jungle out there.

post #25 of 45

I do exactly the same thing. 

(oops, maybe I shouldn't be saying this)

post #26 of 45

#$@*& new comment format.   ...f$#k it.

post #27 of 45
Quote:
Originally Posted by The Friendly Grizzly View Post

^ Booboo...

You forgot PicAneeBaskets
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #28 of 45
Quote:
Originally Posted by Cpsro View Post
I avoid iCloud (and Goople) privacy and security issues by using Mac OS X Server, by the way.  e-mail, caldav, carddav.

There you go but how can you use Back to My Mac. That is actually the only feature I cannot replicate for myself when the computers are behind a firewall with dynamic NAT IPs. Syncing the contacts across various devices is a nice feature also.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #29 of 45
Quote:
Originally Posted by Cpsro View Post

I avoid iCloud (and Goople) privacy and security issues by using Mac OS X Server, by the way.  e-mail, caldav, carddav.

 

 

Does this imply that Apple's iCloud does not run on Mac OS X Server?
post #30 of 45
Quote:
Originally Posted by Haggar View Post
Does this imply that Apple's iCloud does not run on Mac OS X Server?

 

Whether or not it does, it's true.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #31 of 45

Well you could pick a question and provide an answer that is completely unrelated to the question. 

 

IE:

 

Q: In what city were you born?

A. Superman001

 

Only you would know the answer to that. A brute force would have to first guess the correct question then supply a zillion possible answers. Providing an unrelated answer here would throw off a brute force dictionary attack if its definition list was names of cities.

 

Apple could also use multi-token authentication like banks do. Enter your password, answer question(s) correctly, enter identification code sent to mobile/email, and enter a correct captcha to enter.

 

Of course this just adds more layers, and the data could be captured in a MITM attack and later decrypted.

 

z3r0

 

 

Quote:
Originally Posted by MacBook Pro View Post

 

I don't consider that "off topic" and I agree entirely.  In fact, everyone please submit a feature request here.  You can just copy and paste SolipsismX's text.

 

If you would like to make my day, you can copy and paste the following text into another feature request for iTunes Security Info here:

 

Greetings,

 
I beseech you to add or change questions in iTunes security.  While I applaud the additional scrutiny, the questions are too restrictive and quite honestly I can't remember the answers to most of the questions.   Unfortunately, since the questions are too restrictive I am unable to purchase any new content from Apple until this is resolved.
 
 
Here are examples of questions which Apple is asking:
 
What was the first care you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
 
Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?
 
Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
 
 
Many of these questions contradict or are contraindicated by good security question principles:
 

The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.

Bad examples:

  • What is your driver's license number? (I haven't memorized mine, have you?)

  • Car registration number (this may be easy for others to find on the web anyway)

But don't use questions that go back to childhood, or for that matter last year for someone like me.

Bad examples:

  • What was the name of your first pet?

  • What was your first car, favorite elementary school teacher, first kiss, etc.

 

 

Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:

 

In which city, county and state were you born?

What is your maternal grandmother's maiden name?

 

 

Thank you very much for your time and consideration,

 

"MacBook Pro"

post #32 of 45

I don't think I'd hire that IT professional as he should know already that passwords are hacked by sniffing unsecure wireless networks. And also while I don't know this as a fact for me.com, it would be normal for his password to be stored as the one-way hash value...

post #33 of 45
Quote:
Originally Posted by SolipsismX View Post

A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.


Yahoo does this already, and I think it's a fantastic feature.

 

The most sinister use of hacking someone's iCloud password would be to restore from their iPhone backup. You would get EVERYTHING. Texts, photos (not just photo stream), complete contact list, emails, even proprietary app data.

 

Apple's new security question policy does much to prevent this kind of thing, however.

post #34 of 45

Well it is actually quite easy to send an email with a spoofed address.  That's how most spam is sent, not via hacked accounts, way too many sendmail servers with little to no verification/authentication.

 

All it takes if for your address to be harvested on an email list and you are a potential fake address used to generate spam which may get past some spam blockers because it is a valid address in a recipients address book.

 

The emails in the sent folder are an interesting twist, but more likely due to social engineering or keylogging from a Windows machine. If there was a real exploit within the iCloud infrastructure this would be a widespread problem.  

.
Reply
.
Reply
post #35 of 45
Quote:
Originally Posted by Hiro View Post

Well it is actually quite easy to send an email with a spoofed address.  That's how most spam is sent, not via hacked accounts, way too many sendmail servers with little to no verification/authentication.

 

All it takes if for your address to be harvested on an email list and you are a potential fake address used to generate spam which may get past some spam blockers because it is a valid address in a recipients address book.

 

The emails in the sent folder are an interesting twist, but more likely due to social engineering or keylogging from a Windows machine. If there was a real exploit within the iCloud infrastructure this would be a widespread problem.  

Here is the first poster who's actually using his brain. This is what also i suspect happened to my account. Since i have a very strong password i suspect it was more a matter of spoofing than hacking.

 

If you see below i attached a junk mail i received on my @me mail box. You can see the sender and the content.

 

 

 

 

 

A bit later i get this error from a mail daemon stating that my mail did not reach the recipient:

 

 

I clearly did not send that junk mail to anyone nor did i know of it's existence till i received the error above and i checked the junk mail to trace this.

 

If anyone wants me to post the full headers i'll be happy to do it.


Edited by AndreiD - 6/26/12 at 12:55am
post #36 of 45
Quote:
Originally Posted by AndreiD View Post
If anyone wants me to post the full headers i'll be happy to do it.

 

You may wish to remove your personal information from them if you do, as you missed one in the images you've posted already.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #37 of 45
Quote:
Originally Posted by AppleInsider View Post

"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.

 

Perhaps he's not as overzealous as he thinks?

 

http://xkcd.com/936/

 

password_strength.png

post #38 of 45
Quote:
Originally Posted by MacBook Pro View Post

 

If you would like to make my day, you can copy and paste the following text into another feature request for iTunes Security Info here:

 

 

People do realize you don't have to, and really never should, type in real answers to any security questions - right?

 

I use the excellent 1Password application on my Macs and Windows machines, as well as my iPhone and iPad.  It makes having different random passwords of a long length, as well as the same for security questions trivial. 

 

And it solves the whole memory problem - I just have to remember the master password.

post #39 of 45
Quote:
Originally Posted by DocNo42 View Post

 

People do realize you don't have to, and really never should, type in real answers to any security questions - right?

 

I use the excellent 1Password application on my Macs and Windows machines, as well as my iPhone and iPad.  It makes having different random passwords of a long length, as well as the same for security questions trivial. 

 

And it solves the whole memory problem - I just have to remember the master password.

 

Bull.  

 

Why should you not type in real answers to security questions?  If proper questions are used then the information isn't readily discoverable at least no more so than a random answer.

 

I use 1Password as well but I don't consider that a proper solution for this particular issue.

post #40 of 45

full headers could shed some light on origins.

just blank personal info out.
 

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iCloud
AppleInsider › Forums › Mobile › iCloud › Users raise questions about Apple's security after iCloud hacks