Skip to main content

Apple is giving away all your stuff in the iCloud

I've used the login name "fishdan" since 1996 -- I own it about everywhere it's worth having.  Because I'm old, my primary usage is via yahoo, but I'm also fishdan@gmail, It's my primary interface to all things google, including my google+ account and the account I sync my android phone with.

Because I'm a good doobie I use 2 Stage verification with this account.  This has been a minor pain in the ass, but it always seemed like a good idea, and I'm rarely that far from my phone.

But because it's not my #1 account, I only check the email every other day or so.

Imagine my surprise when I looked at it today and saw the following:







Yep, 20 emails from Apple.  I knew that wasn't going to be good.

Here's the first one:



Full disclosure -- I don't own an Iphone and I'm not really a consumer of anything in the ITunes Universe.  I do have a few AppleIDs,  the most critical being professional ones related to being in the IOS developer's program and other professional things like that.  That one is linked to my yahoo email address.  I don't remember why I created the gmail apple account, but I certainly would not have hesitated to do so.  Probably for apps.

So, I'm troubled as soon as I read the email.  Someone was able to sign into my iCloud account from an Iphone?  I don't have an iCloud account!  You can see in the image above that then there was another email saying that my AppleID was used to sign into facetime and iMessage.

And immediately after that, 11 emails like this:



I suppose being charitable, I could assume that someone had perhaps fat fingered their email address and they were dishman@gmail.com.  Still, 11 requests to reset the password??

As it turns out, that was only for yesterday.  Today (starting at about 9 this morning) they made 6 more attempts to verify the email address (which is also in the first photo).  Of course I didn't respond to any of them (I hadn't even seen them yet), so my account could not have been verified right?  The last attempt to verify was at 9:08am and went unanswered.

And then at 9:28 this gem!



Seriously Apple?!?  With no verification, you allowed changes to my account, including the Apple ID, the password and the email address???

So I noticed this a few hours ago.  I went to Apple to try to reset my password.  Guess what!  If there was a reset password email, it was no longer being sent to my gmail account.

I tried to get in touch with apple, but they best they can do it to call me tomorrow morning -- we'll see how it turns out.

I feel confident my gmail account is secure because of two factor authentication.  I only use virtual credit card numbers online, all of which I set to expire one month after I use them, so I'm not too worried about there being a credit card number associated with the ITunes account.

What I am really unhappy about however is that whatever WAS in that account -- perhaps some apps -- perhaps photos?  Is now apparently gone to someone else.

I did nothing wrong here (and I would argue many things right) and STILL Apple allowed themselves to be socially engineered into giving up an account, even after they were exposed two years ago and deleted all of a guys photos of his kids, his collected works...


Bottom line?

You would have to be crazy to trust Apple or ICloud with anything sensitive, or anything you wouldn't want to lose!

I suspect that if I had had an ICloud account or an Iphone, my vulnerability would have been even worse.




















Comments

Dan Fishman said…
Update 1: Apple called me on 10/1 at 9:50, as they said they would. I went up the Apple Support food chain. My last contact was with "Lisa" who at first refused to read this blog, but after she did became very helpful. She promised to escalate this to an engineer, who I would not be allowed to speak with, but she assured me that because it was so early in the day, we would have a resolution by the end of the day. I have not heard back, and it's now end of business on 10/2. I did get a "verify email" from apple this morning at 10, which I did not see for a few hours, so it had expired by the time I clicked on it.

I went back to apple and logged into my gmail userid, but nothing had changed.
1:08 PM
Post a Comment

Popular posts from this blog

Preventing accidental large deletes.

Instructions for Developers on Using the safe_delete Stored Procedure To enhance safety and auditability of delete operations within our databases, we have implemented a controlled deletion process using a stored procedure named safe_delete . This procedure relies on a temporary table ( temp_delete_table ) that lists complete records intended for deletion, not just their IDs. This approach helps prevent accidental deletions and provides a traceable audit log of delete actions. Why We Are Doing This Controlled Deletions : Centralizing delete operations through a stored procedure reduces the risk of erroneous or unauthorized deletions. Auditability : Using a temporary table to store complete records before deletion allows for an in-depth review and verification process, enhancing our ability to confirm and audit delete operations accurately. Security : Restricting direct delete permissions and channeling deletions through a specific proced...
Post a Comment
Read more
 In software engineering, accumulating code behind a release wall is akin to gathering water behind a dam. Just as a dam must be built higher and stronger to contain an increasing volume of water, the more code we delay releasing, the more resources we must allocate to prevent a catastrophic flood—major bugs or system failures—while also managing the inevitable trickles—minor issues and defects. Frequent, smaller releases act like controlled spillways, effectively managing the flow of updates and reducing the risk of overwhelming both the system and the team. The ideal of ci/cd may not be achievable for all teams, but smaller and faster is always better.
Post a Comment
Read more

October is Cyber Security Month

The President has declared October as Cybersecurity month.  It's not a bad idea -- just like you change the batteries in your smoke detectors once a year, maybe you should review your electronic vulbnerabilities? My top ten security tips: 1) Change your passwords.  You've had them too long, you use the same password in too many places.  Somewhere someone has hacked a site that has your username and password in plain text.  Now they are getting ready to try that username/password somewhere else.  Beat them to the punch. 2) Use a safe browser.  That means anything that's not Internet Explorer.   I prefer chrome. 3) Use 2 step verification for your email account.  If your email doesn't provide 2 step authentication consider switching. 4) Get a free credit report  and review it.  You are entitled to one free report a year.   BE VERY CAREFUL!  There are man scam sites that offer free credit reports.  Go through the s...
16 comments
Read more