Late Friday, Wired writer Mat Honan ran into a digital buzzsaw as his iCloud, Gmail and Twitter accounts were compromised in rapid succession. The hackers did a tremendous amount of collateral damage along the way, spewing racist and homophobic tweets on Honan's account plus the Gizmodo Twitter account (linked to his). Worse, they proceeded to wipe all the data from his iPhone, iPad and his Mac laptop via Find My iPhone and Find My Mac.
Honan has now posted the first in a series of articles on Wired detailing what happened, and how the hackers were able to take advantage of critical bits of exposed information on different services to get into his accounts. The target, apparently, was always his Twitter account -- the three-letter @mat handle was irresistible to the hackers, and they wanted to use it to wreak mayhem.
The chain of calamity began with the hackers finding Honan's Gmail address via his linked personal webpage off the @mat Twitter account and assuming correctly that it was the email address for his Twitter account. With that detail, they could go to the account recovery page for Gmail and -- without actually attempting to break into his account -- see a partial email address "m....email@example.com" already configured for account recovery. It doesn't take a rocket scientist to guess what the missing letters are there, and once they knew Honan's Gmail password reset would be heading for iCloud, they knew they had an easy path ahead.
Honan pinpoints this bit of personal info as the key to the entire attack. "If I had some other account aside from an Apple email address, or had used two factor authentication for Gmail, everything would have stopped here. But using the .Me email account as a backup told the hacker I had an AppleID account, which meant I was vulnerable to being hacked."
In fact, the hackers needed only to collect a few readily (or nearly so) accessible bits of information in order to get Honan's iCloud password:
- Honan's home address (scraped from domain registration records; note that many registrars will now obscure your address for this reason)
- The .me email address (gleaned from Google account recovery page)
- The last four digits of the credit card on file for the iCloud account
That last one is the killer. Through a series of simple social hacks of Amazon's account maintenance -- no more complex than a few phone calls and a fake but properly formatted credit card number -- it's possible to expose the last four digits of all the credit card numbers on an Amazon user account. Given that detail, AppleCare will apparently issue a temporary iCloud password for you, even if you cannot accurately answer the security questions on file. Temp password leads to password reset; password reset leads to owner getting locked out of the account; all leads to suffering.
Needless to say, this is what some would call a balagan. If it's that simple, in theory, to get an iCloud password reset on the fly, then iTunes accounts and Find My Mac wipes are both in serious jeopardy -- to say nothing of email or location privacy. Apple spokesperson Natalie Kerris told Honan that some internal policies were not followed in his case, but Wired staffers were able to replicate the account access exploit twice over the weekend ... seems like a fairly common policy violation, no?
I would think we'll hear more from Apple on how it plans to address this functional vulnerability in the next few days. Meanwhile, there are a few sensible steps you can take to help secure your account:
- Don't use your iCloud email account as a password recovery account for Gmail, Hotmail, Yahoo! Mail, etc. You can and probably should set up a "blind" account for password recovery on a service you don't use for any other purpose, with an address that is never publicized or used to sign into social media sites.
- Use different payment methods for iTunes/iCloud and for Amazon.
- Don't save credit cards on your Amazon account. Keeping your last four digits off of Amazon's servers means they can't be shared with bad guys.
- Turn ON two-factor authentication where possible. Google allows you to set your account to require a separate check via cellphone or the Google Authenticator app when you log in from a new machine or when you try to change security settings. (Counterpoint: Security expert Bruce Schneier did not think much of two-factor auth back in 2005.)
- Turn off Find My Mac. Until Apple closes this hole, the risk of someone hacking your iCloud account for kicks and wiping your hard drive in the process is unknowable -- but probably too high.
- Back up, back up, back up.
Honan's regrets are many: that he did not have current backups of his laptop, and as a result might have lost irreplaceable photos of his family; that his Google and iCloud accounts were cross-linked for recovery; that he did not set up a separate recovery account. But he's mostly upset that he turned on Find My Mac.
We invite your feedback and questions in the comments, but please keep it civil and constructive. Thanks.