Flaws in Apple & Asurion websites expose PINs of millions of iPhone users

AppleInsider

Although already fixed, security vulnerabilites at Apple's online store and the website for Asurion, a phone insurance firm, recently exposed the PINs of millions of mobile accounts, a report revealed on Friday.

The Apple vulnerability exposed the PINs of "over 72 million" T-Mobile subscribers, BuzzFeed News claimed. Asurion is noted to have had a separate flaw, affecting the PINs of AT&T customers.

Both Apple and Asurion remedied the situation after BuzzFeed shared findings from security researchers "Phobia" and Nicholas "Convict" Ceraolo. In Apple's case, an account validation page that asked for a T-Mobile cell number and a PIN or Social Security number would potentially let hackers try an infinite amount of attempts -- unlike forms for the other three major U.S. carriers, which were already protected by rate limiters.

The problem may have been an engineering mistake made when linking a T-Mobile API to Apple's website, Ceraolo said.

The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.

The Apple flaw is unrelated to a T-Mobile server breach which exposed some of the personal information of about 3 percent of the carrier's subscribers. That attack took place on Aug. 20.

nunzy

This sounds like it is T-Mobile 's fault, and not Apple's.

mplsp

... and is there any evidence it was exploited?

adamc

So what is the Apple vulnerability? Care to explain.

rayz2016

adamc said:

So what is the Apple vulnerability? Care to explain.

If a nefarious actor (my favourite expression) has access to your phone number then they could go to the form and keep trying PIN numbers until they hit the right one. What Apple failed to do was limit the number of times the aforementioned actor could enter a PIN number.  Three attempts should lock you out of the form. 

ericthehalfbee

The original article is confusing. When they say “exposed 77 million PINs” it sounds like 77 million people (the entire T-Mobile subscriber base) had their PINs stolen.

In fact, if I read this correctly, the flaw could potentially allow someone to brute force a PIN on a given phone number. It doesn’t make any claims about this actually happening to anyone.

I’d be curious if there are numbers that show how many people had a PIN stolen. Surely they would know, as they’d get a request from a customer trying to regain access to their account or complaining about fraud. If an unusually higher than normal number of customers contacted them in a short period of time over similar account issues, then that would tip them off that there was some type of security breach. If the numbers haven’t changed then it’s likely this exploit wasn’t utilized.

netmage

That's why it says "exposed" and not "stolen". Exposed means made visible, not that anyone looked.

edited August 2018

arfshesaid...

Flaws in Apple & Asurion websites expose PINs of millions of T-Mobile iPhone users in the USA. I wouldn't have felt the need to read this non-story if the headline had mentioned all parties. I presume many more iPhone users live outside America than live in the affected region or use T-Mobile.

arfshesaid...

netmage said:

That's why it says "exposed" and not "stolen". Exposed means made visible, not that anyone looked.

That does not excuse sloppy reporting it merely exposes it.

anton zuykov

Rayz2016 said:

adamc said:

So what is the Apple vulnerability? Care to explain.

If a nefarious actor (my favourite expression) has access to your phone number then they could go to the form and keep trying PIN numbers until they hit the right one. What Apple failed to do was limit the number of times the aforementioned actor could enter a PIN number.  Three attempts should lock you out of the form. 

You don't have to limit the number of attempts. Just limit the time for a single. First 3 tries - go through immediately. 4th attempt - 1 minute delay. 5th - 2 minutes, 6th - 5 minutes, 7th - 20 minutes, 8th - 1 hrs... 

ericthehalfbee

netmage said:

That's why it says "exposed" and not "stolen". Exposed means made visible, not that anyone looked.

They weren’t visible. You could brute force to find a PIN, but it’s not there for people to look at. So not “exposed”.

dewme

Do you think that at some point, I don't know, perhaps before the next Equifax magnitude breach, somebody will come to the realization that PIN and password based security (I use that term loosely) models are inherently flawed?  W.T.F. How many times do you have to see these things happen before you realize that basing your trust relationship with a third party with everyone rendezvousing around such a flimsy model in the face of constantly expanding threats is sane in any world? At the very least there should be a revokable security token with expiries and blockchain based traceability around all transactions requiring the exchange of trust credentials. The security levee has broken and putting a strip of toilet paper across your front door isn't going to hold back the water. Ok, two strips of t.p. if you're using a non-trivial password or PIN. If you're relying on antiquated security models then pointing fingers at anyone else who fails doing the same things you are doing is like playing tag. They may be "it" today but your turn is coming soon.

uroshnor

dewme said:

Do you think that at some point, I don't know, perhaps before the next Equifax magnitude breach, somebody will come to the realization that PIN and password based security (I use that term loosely) models are inherently flawed?  W.T.F. How many times do you have to see these things happen before you realize that basing your trust relationship with a third party with everyone rendezvousing around such a flimsy model in the face of constantly expanding threats is sane in any world? At the very least there should be a revokable security token with expiries and blockchain based traceability around all transactions requiring the exchange of trust credentials. The security levee has broken and putting a strip of toilet paper across your front door isn't going to hold back the water. Ok, two strips of t.p. if you're using a non-trivial password or PIN. If you're relying on antiquated security models then pointing fingers at anyone else who fails doing the same things you are doing is like playing tag. They may be "it" today but your turn is coming soon.

1. Blockchain does not make anything more secure other than scammers bank balances.

2. The SIM is a token, and the SIM PIN is a second factor. The issue is here that it was designed to be used in a closed loop system controlled by the carrier. Phone numbers historically have been public information & were published in phone books.

3. The original inter s SIM + PIN was for access to carrier services only. The mistake of using a phone number as an IDENTITY is not JUST the carriers fault - it is a market wide problem across multiple sectors. There’s a reason why your mobile number is not trusted as proof of identity for a drivers licence or passport application. See 2.

4. So we have something being used outside it’s original intent and risk profile being found to be inadequate for a different risk profile associated with a different an totally unplanned for use-case . That’s not exactly unexpected as a consequence.

5. The blockchain does not help here. It just means anyone/everyone now gets a cryptographically signed phonebook, that can be changed arbitrarily by 51% of the people listed in it if they work together . That is likely not fit for purpose for identity from a single issuer (the carrier)

franco borgo

Rayz2016 said:

adamc said:

So what is the Apple vulnerability? Care to explain.

If a nefarious actor (my favourite expression) has access to your phone number then they could go to the form and keep trying PIN numbers until they hit the right one. What Apple failed to do was limit the number of times the aforementioned actor could enter a PIN number.  Three attempts should lock you out of the form. 

How can an Apple error affect only 1 provider. It is written a T-Mobile API. I think the API should prevent multiple attempt. If I create a website that use Apple iCoud API, you wont be able to do it.  Apple did use the API on T-mobile which was not secure. Even if apple Would Correct it, You could find the API nd use it directly and stil be able to try as many times as you want.  

rayz2016

anton zuykov said:

Rayz2016 said:

adamc said:

So what is the Apple vulnerability? Care to explain.

If a nefarious actor (my favourite expression) has access to your phone number then they could go to the form and keep trying PIN numbers until they hit the right one. What Apple failed to do was limit the number of times the aforementioned actor could enter a PIN number.  Three attempts should lock you out of the form. 

You don't have to limit the number of attempts. Just limit the time for a single. First 3 tries - go through immediately. 4th attempt - 1 minute delay. 5th - 2 minutes, 6th - 5 minutes, 7th - 20 minutes, 8th - 1 hrs... 

After 3 attempts I would lock the form and tell the user to contact their service provider directly. 

rayz2016

franco borgo said:

Rayz2016 said:

adamc said:

So what is the Apple vulnerability? Care to explain.

If a nefarious actor (my favourite expression) has access to your phone number then they could go to the form and keep trying PIN numbers until they hit the right one. What Apple failed to do was limit the number of times the aforementioned actor could enter a PIN number.  Three attempts should lock you out of the form. 

How can an Apple error affect only 1 provider. It is written a T-Mobile API. I think the API should prevent multiple attempt. If I create a website that use Apple iCoud API, you wont be able to do it.  Apple did use the API on T-mobile which was not secure. Even if apple Would Correct it, You could find the API nd use it directly and stil be able to try as many times as you want.  

Yes, that’s a very good point, and it really depends how the API is written and how Apple was instructed to use it. 

The API it might not be able to detect where the original request came from – only that it is receiving a request from the Apple site. 

rayz2016

ericthehalfbee said:

netmage said:

That's why it says "exposed" and not "stolen". Exposed means made visible, not that anyone looked.

They weren’t visible. You could brute force to find a PIN, but it’s not there for people to look at. So not “exposed”.

Yes, I have to agree that “exposed” is the wrong term. The correct term would be “vulnerable to a brute force attack”. 

maciekskontakt

Mobile or not mobile, pin or not pin, I will never keep real or nn-expired credit card with Apple account either. One can steal only money from iTunes card deposited, but not more compromising far more.

macgui

The Asurion vulnerability let people who knew an AT&T user's phone number obtain access to another form asking for their PIN, which like Apple's page lacked a rate limiter.

This is a pretty basic mistake, unlike some arcane workarounds that get through.

from The American Heritage® Dictionary of the English Language, 4th Edition:

transitive v. To subject or allow to be subjected to an action, influence, or condition: exposed themselves to disease; exposed their children to classical music.

Huh. Expose has more than one meaning. Whodda thunk it. Adding a rate limiter (in any form) would seem to help prevent someone's PIN from being subject to a brute forced.