Anatomy of a Successful Personal Hack
How did a hacker help expose holes in cloud security at Apple and Amazon? By doing some basic research and making some calls. If your end users carry iOS devices, read on.
According to Mat Honan's detailed discussion of his pwnage, he wasn't targeted for his connection with Gizmodo or Wired or anything he wrote online.
A hacker calling him/herself "Phobia" (whom Honan interviewed via email and Twitter DM) sparked on Honan because of his ultra-short Twitter handle: @mat.
Phobia's goal was always to crack Honan's Twitter account, but doing so meant starting with bigger fish and working gradually toward details that would allow the Twitter account to be cracked.
Apple's record of the attack starts at 4:33 Aug. 3 with a call from "Honan" complaining he was shut out of an email account on Apple's iCloud service.
The actual attack started earlier, when "Phobia" followed a link on Honan's public Twitter profile to his personal webpage, where they found his Gmail address, which, he/she assumed, was the email linked to his Twitter account.
Off Phobia went to the Gmail password-recovery page, which offered not only Honan's Gmail handle, but also most of the backup address he listed for account firstname.lastname@example.org.
That told Phobia Honan had an iCloud account and an AppleID that would probably have access to all his other Apple devices or accounts.
"'You honestly can get into any email associated with apple,' Phobia claimed in an e-mail," Honan wrote in his explanation. "And while it’s work, that seems to be largely true."
To get into his Twitter account, Phobia needed Honan's Gmail password; to get the Gmail password Phobia needed access to either the Gmail account, or the password-recovery account, which could also log in to Honan's Gmail.
Getting the AppleID was a little more complicated, but required only the last four digits of Honan's credit card and his street address. Phobia got the street address by running a whois search on Honan's personal webpage but could have done a five-minute Google search and come up with the same result, as is the case for most Americans.
The credit-card information sometimes comes up in Google Searches, but it didn't in Honan's case. Phobia got that by scamming Amazon--the giant retail service, not AWS, the cloud service. Phobia phoned Amazon, asking to add a credit card to the account, then giving a bogus number and new email address. The bogus email allowed Phobia to go to Amazon's password-recovery page and send a temp password to the fake account.
Honan and Wired ran the same scam, to see if it worked. It did, twice--it took a few minutes each time.
Amazon's temp password let Phobia log in to Amazon, read Honan's credit-card information, then use the credit card and confirmed-by-Amazon street address to confirm ownership of Honan's iCloud account during a phone call to Apple tech support.
AppleCare responded by sending a temporary password; Phobia used the temp password to change the password to the AppleID account, locking Honan out and gaining control of Honan's iCloud account and access to all the accounts to which it was linked.
"It’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example," Honan wrote. "If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life."--K.F.