Apple apparently gave a perfect stranger access to Mat Honan's iCloud account without verifying his identity.
As we become more connected and more reliant on the web, top-notch security becomes more and more important. While some services like Gmail offer two-step verification to ensure only you can access your account, not every service offers security that's as air-tight. This past weekend, Wired's Mat Honan revealed that he had been hacked. Actually, the hackers themselves revealed that fact when they took control of Honan's Twitter account but Honan later divulged just how bad the attack was.
Honan says someone accessed his iCloud account at 4:50pm on Friday afternoon. This person reset the password and then sent the password reset confirmation email to the trash bin. After that, the hacker switched his or her focus to Honan's email account. Honan said in a blog post on Friday that the backup email address on his Gmail account is the same .mac email address. So, at 4:52pm, the attacker sent a Gmail password recovery to the .mac account and successfully reset his Gmail password.
Now, most of us would already be freaking out at this point. The idea of a stranger having access to your personal email is a very scary one. However, the hacker wasn't finished with Honan. At 5pm, the attacker wiped his iPhone. One minute later, they did the same to his iPad. At 5:05pm, his MacBook Air was wiped clean. After that, they accessed his Twitter and, because his Twitter was once linked to the account of his former employer Gizmodo, the hackers took the @Gizmodo account, too.
The story of how the hacker breached one account and used that access to breach multiple other accounts is interesting enough as it is. However, how they got access to the first account (in this instance, iCloud), is even more interesting. Though Honan originally thought the person responsible had managed to brute force is seven digit alphanumeric password, he soon figured out that it wasn't as hard as that. In an update to his blog post, Mr. Honan said that he had confirmed with both the hacker and Apple that it wasn't password related. The hacker simply phoned Apple support, convinced the tech support worker that he was Honan and had them reset the password.
Speaking via Twitter, Honan revealed that the hacker didn't even have to answer any security questions. "They did not have to answer security questions. Bypassed both the password, and the questions," he told one follower, later adding, "To all asking exactly what info let hackers access my account, I want to give Apple a chance to respond first. Should be an easy fix."
Apple also hasn't commented publicly on the situation, but we don't expect Cupertino to stay quiet for long. This could have happened to anyone (though Honan's job as a tech blogger for a popular publication does make him an attractive target), and the fact that Apple let a stranger access a user's account with no authentication is very worrying. We'll keep you posted on this one.