How Apple and Amazon Security Flaws Led to My Epic Hacking
by Mat Honan
Source link: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/
author: Mat Honan
Mat was hacked and his “entire digital life was destroyed” in less time than most people spend checking FaceBook each day. A hacker:
- Deleted his Google account
- Used his Twitter account to “broadcast racist and homophobic messages”
- Erased all the data on his iPhone, iPad, and MacBook.
You may be asking yourself how this happened? The answer is very scary! Mat had all his accounts “daisy-chained” together, which many online companies take advantage of (sign-in with FaceBook or Google+, login with FaceBook to find your friends, use Pay-Pal for checkout). This idea of a Universal Login makes the security of the web much more transparent to the user. It’s great up until it breaks and then it’s devastating as Mat found out. Mat found out from Apple that they gave the hackers access to his iCloud account using the last 4-digits of a credit card number that Amazon displays when you login. Mat points out the following:
“The very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.”
At the time of the hack, Apple only requires a billing address and the last four digits of a credit card number to allow someone, hopefully you but not necessarily, to reset your password to iCloud. Mat made contact with the hacker and agreed not to press charges for information on the hack. The hacker stated he found Mat’s email address on his personal webpage. Using Google’s account recovery page they found his Apple .me email address. This was the golden ticket. The hacker, who goes by Phobia, stated that “You honesty can get into any email associated with apple”. The hacker did a whois search to find Mat’s billing address. The last 4-digits of the credit card number was harder to get but not impossible. Basically, you dupe Amazon into letting you create new sign-in credentials by using Amazon phone support to add a new credit card, which you later use to verify the account in order add a new email address. From here you can send a password reset email to the new email address the hacker owns to get into your Amazon account thus gaining access to the credit card information.