- According to a recent report, several Apple users are bombarded with dozens of notifications or multi-factor authentication (MFA) requests to change their Apple ID password.
- The attackers seem to have taken advantage of what appears to be a bug in Apple's password reset feature.
- If you're an Apple user, make sure to tap "Don't Allow" on all password change requests and bear in mind that Apple never makes phone calls asking for one-time password codes.
According to a recent report on KrebsOnSecurity, several Apple users are being targeted in phishing attacks that take advantage of what appears to be a bug in Apple’s password reset feature. In this attack, users are bombarded with dozens of notifications or multi-factor authentication (MFA) requests to change their Apple ID password.
The attacker has managed to cause the targeted iPhone, Mac, or Apple Watch to display endless system-level password change prompts that prevent the devices from being used until the user chooses “Allow” or “Don’t Allow” for each prompt. The attacker does this repeatedly with the hope that the target will either approve the request mistakenly or get tired of the endless notifications and click on the allow button. When the request is approved, the attacker can change the Apple ID password and lock the user out of his Apple account.
These password reset requests will appear on all Apple devices where a user has signed in with the same Apple ID. Therefore, the user won’t be able to use any of his linked Apple devices until the popups are dismissed one by one on each of them.
An X (aka Twitter) user Parth Patel shared his story of being targeted for this phishing attack on his Apple ID. He said he couldn’t use his Apple devices until he clicked on “Don’t Allow” for more than 100 notifications.
These attacks aren’t just limited to sending notifications. The attackers had an ace up their sleeves. When the attackers can’t get the targeted user to click “Allow” on the reset password notifications, they will make phone calls using caller ID spoofing of the official Apple Support phone line. During the call, the attacker claims to know that the user is under an attack, and will empathize with the victim to win his trust. The attacker will attempt to get the one-time password that’s sent to the victim’s phone number when attempting password change requests.
In Parth’s case, the attacker used information leaked from a people search website, which included personal details like name, phone number, current address, past address, and more. Somehow, the attacker had his name wrong. The target became suspicious when he was asked to share a one-time code that appeared to be sent by Apple explicitly with a message saying that Apple does not ask for any codes. However, the attacker has the email address and phone number associated with the user’s Apple ID.
KrebsOnSecurity studied the issue and found these attackers appear to be using an Apple page for a forgotten Apple ID password. This page requires an Apple ID or phone number, and it has a CAPTCHA. When you enter an email address, the page displays the last two digits of the phone number linked with that Apple account. When someone fills in the missing digits and hits the submit button, it sends a system alert.
At the moment, it isn’t clear how the attackers are able to abuse the system and manage to send multiple requests to Apple users. It seems there’s a bug in the system that’s being exploited. Apple system cannot used to send more than 100 requests at once, so probably, the rate limit is being bypassed.
If you’re an Apple user, you must make sure to tap “Don’t Allow” on all password change requests, unless you’ve deliberately made the request. Also, bear in mind that Apple never makes phone calls asking for one-time password codes. So, you must act smartly and escape these dangers.