Just this weekend, Gizmodo writer Mat Honan had his iCloud account hacked .Because of Apple’s vast connection web regarding iCloud, this let the hacker access all of Honan’s devices, wiping his iPhone, iPad, and MacBook. Additionally, his Twitter and Gmail accounts were both compromised, along with the Gizmodo’s Twitter page.
Honan wrote a lengthy blog post detailing the entire process of the hacking:
“At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years.
The backup email address on my Gmail account is the same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:04, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.”
So, how exactly did a hacker access his account? Honan initially suspected that his 7 character alpha-numeric password had been too weak, and the hacker had simply brute-forced his way into the account. However, in an update later on, Honan explains:
”Update three: I know how it was done now. Confirmed with both the hacker Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
This obviously highlights a large security hole in Apple’s account recovery system. If any Apple tech support agent can allow someone claiming to be the account holder in, it opens up a door to some pretty malicious possibilities.