SELL FASTER BUY SMARTER SEARCH SHOP ADVERTS


SCROll DOWN TO SEE FORM TO POST ..SCROll DOWN TO SEE FORM TO POST
++MAP OR ENTER BELOW

THN

Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts

Apple Touch ID iCloud security vulnerabilityApple Touch ID iCloud security vulnerability

Apple earlier this year fixed a security
vulnerability in iOS and macOS that could have potentially
allowed an attacker to gain unauthorized access to a user’s iCloud
account.

Uncovered in February by Thijs
Alkemade[2], a security specialist
at IT security firm Computest, the flaw resided in Apple’s
implementation of TouchID (or FaceID) biometric feature that
authenticated users to log in to websites on Safari, specifically
those that use Apple ID logins.

After the issue was reported to Apple through their responsible
disclosure program, the iPhone maker addressed the vulnerability in
a server-side
update[3].

An Authentication Flaw

The central premise of the flaw is as follows. When users try to
sign in to a website that requires an Apple ID, a prompt is
displayed to authenticate the login using Touch ID. Doing so skips
the two-factor authentication step since it already leverages a
combination of
factors for identification, such as the device (something you
have) and the biometric information (something you are).

cybersecurity

Contrast this during logins to Apple domains (e.g. “icloud.com”)
the usual way with an ID and password, wherein the website embeds
an iframe pointing to Apple’s login validation server
(“https://idmsa.apple.com”), which handles the authentication
process.

Apple Touch ID FlawApple Touch ID Flaw

A shown in the video
demonstration, the iframe URL also contains two other
parameters — a “client_id” identifying the service (e.g., iCloud)
and a “redirect_uri” that has the URL to be redirected to after
successful verification.

But in the case where a user is validated using TouchID, the
iframe is handled differently in that it communicates with the
AuthKit daemon (akd) to handle the biometric authentication and
subsequently retrieve a token (“grant_code”) that’s used by the
icloud.com page to continue the login process.

To do this, the daemon communicates with an API on
“gsa.apple.com,” to which it sends the details of the request and
from which it receives the token.

The security flaw discovered by Computest resides in the
aforementioned gsa.apple.com API, which made it theoretically
possible to abuse those domains to verify a client ID without
authentication.

“Even though the client_id and redirect_uri were included in the
data submitted to it by akd, it did not check that the redirect URI
matches the client ID,” Alkemade noted. “Instead, there was only a
whitelist applied by AKAppSSOExtension on the domains. All domains
ending with apple.com, icloud.com and icloud.com.cn were
allowed.”

Apple Touch ID FlawApple Touch ID Flaw

This means that an attacker could exploit a cross-site scripting
vulnerability on any one of Apple’s subdomains to run a malicious
snippet of JavaScript code that can trigger a login prompt using
the iCloud client ID, and use the grant token to obtain a session
on icloud.com.

Setting Up Fake Hotspots to Take Over iCloud Accounts

In a separate scenario, the attack could be executed by embedding
JavaScript on the web page that’s
displayed when connecting to a Wi-Fi network for the first time
(via “captive.apple.com”), thus allowing an attacker access to a
user’s account by just accepting a TouchID prompt from that page.

“A malicious Wi-Fi network could respond with a page with
JavaScript which initiates OAuth as iCloud,” Alkemade said[7]. “The user receives a
TouchID prompt, but it’s very unclear what it implies. If the user
authenticates on that prompt, their session token will be sent to
the malicious site, giving the attacker a session for their account
on iCloud.”

“By setting up a fake hotspot in a location where users expect
to receive a captive portal (for example at an airport, hotel or
train station), it would have been possible to gain access to a
significant number of iCloud accounts, which would have allowed
access to backups of pictures, location of the phone, files and
much more,” he added.

This is not the first time security issues have been found in
Apple’s authentication infrastructure. In May, Apple patched a
flaw[8] impacting its “Sign in
with Apple” system that could have made it possible for remote
attackers to bypass authentication and take over targeted users’
accounts on third-party services and apps that have been registered
using Apple’s sign-in option.

[1][4][5][6]

References

  1. ^
    security vulnerability
    (www.computest.nl)
  2. ^
    Thijs Alkemade
    (twitter.com)
  3. ^
    server-side update
    (twitter.com)
  4. ^
    combination of factors
    (en.wikipedia.org)
  5. ^
    video demonstration
    (vimeo.com)
  6. ^
    web
    page     (captive.apple.com)
  7. ^
    said
    (twitter.com)
  8. ^
    Apple patched a flaw
    (thehackernews.com)

Read more

.An African People Search Engine Business directory and Entertainment Portal . Powered by The Swordpress Blog and the folks @ ojoojoo.com and Dotifi Web hosting

Submit A Place
Help Us Review This SwordPress !

RSS Latest News

Post Views: 569
[activity-stream]
THE HITCH hikers guide to Nigeria JobScout | Developed By Rara Theme. Powered by WordPress.
Get Mobile App Get Mobile App
Get Mobile App

Add a new location

Edit Location

Add up to 5 images to create a gallery for this location.

×