Tuesday, September 30, 2014

Apple is giving away all your stuff in the iCloud

I've used the login name "fishdan" since 1996 -- I own it about everywhere it's worth having.  Because I'm old, my primary usage is via yahoo, but I'm also fishdan@gmail, It's my primary interface to all things google, including my google+ account and the account I sync my android phone with.

Because I'm a good doobie I use 2 Stage verification with this account.  This has been a minor pain in the ass, but it always seemed like a good idea, and I'm rarely that far from my phone.

But because it's not my #1 account, I only check the email every other day or so.

Imagine my surprise when I looked at it today and saw the following:

Yep, 20 emails from Apple.  I knew that wasn't going to be good.

Here's the first one:

Full disclosure -- I don't own an Iphone and I'm not really a consumer of anything in the ITunes Universe.  I do have a few AppleIDs,  the most critical being professional ones related to being in the IOS developer's program and other professional things like that.  That one is linked to my yahoo email address.  I don't remember why I created the gmail apple account, but I certainly would not have hesitated to do so.  Probably for apps.

So, I'm troubled as soon as I read the email.  Someone was able to sign into my iCloud account from an Iphone?  I don't have an iCloud account!  You can see in the image above that then there was another email saying that my AppleID was used to sign into facetime and iMessage.

And immediately after that, 11 emails like this:

I suppose being charitable, I could assume that someone had perhaps fat fingered their email address and they were dishman@gmail.com.  Still, 11 requests to reset the password??

As it turns out, that was only for yesterday.  Today (starting at about 9 this morning) they made 6 more attempts to verify the email address (which is also in the first photo).  Of course I didn't respond to any of them (I hadn't even seen them yet), so my account could not have been verified right?  The last attempt to verify was at 9:08am and went unanswered.

And then at 9:28 this gem!

Seriously Apple?!?  With no verification, you allowed changes to my account, including the Apple ID, the password and the email address???

So I noticed this a few hours ago.  I went to Apple to try to reset my password.  Guess what!  If there was a reset password email, it was no longer being sent to my gmail account.

I tried to get in touch with apple, but they best they can do it to call me tomorrow morning -- we'll see how it turns out.

I feel confident my gmail account is secure because of two factor authentication.  I only use virtual credit card numbers online, all of which I set to expire one month after I use them, so I'm not too worried about there being a credit card number associated with the ITunes account.

What I am really unhappy about however is that whatever WAS in that account -- perhaps some apps -- perhaps photos?  Is now apparently gone to someone else.

I did nothing wrong here (and I would argue many things right) and STILL Apple allowed themselves to be socially engineered into giving up an account, even after they were exposed two years ago and deleted all of a guys photos of his kids, his collected works...

Bottom line?

You would have to be crazy to trust Apple or ICloud with anything sensitive, or anything you wouldn't want to lose!

I suspect that if I had had an ICloud account or an Iphone, my vulnerability would have been even worse.

1 comment :

Dan Fishman said...

Update 1: Apple called me on 10/1 at 9:50, as they said they would. I went up the Apple Support food chain. My last contact was with "Lisa" who at first refused to read this blog, but after she did became very helpful. She promised to escalate this to an engineer, who I would not be allowed to speak with, but she assured me that because it was so early in the day, we would have a resolution by the end of the day. I have not heard back, and it's now end of business on 10/2. I did get a "verify email" from apple this morning at 10, which I did not see for a few hours, so it had expired by the time I clicked on it.

I went back to apple and logged into my gmail userid, but nothing had changed.