Oh wise one. Please enlighten us how to defeat their trivial security.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Aware of iCloud Login Harvesting in China, Launches Browser Security Guide
- Thread starter MacRumors
- Start date
- Sort by reaction score
Oh wise one. Please enlighten us how to defeat their trivial security.
If my phone is lost or stolen, I can quickly and easily deactivate the device from being trusted.
Only one recovery key can be active at a time. It's fairly easy to reset (that is if you've already spoofed the 2 factor, you can do so to log in to someone's AppleID and manage it) but again, email alerts are sent.
Wouldn't it be cool if we could use touch id for 2 factor? Although then they'd have to have access to your fingerprint and you'd be sending it over the internet.
----------
Its simple.
1. Go to their website
2. Use massive supercomputer to bring down their site through denial of service attacks.
3. Access password and security code
4. Login
You just don't understand how easy it is
This is only a issue on the Qihoo or whatever that browser is named, this is not Apple's fault at all , this is a "man in the middle attack" and well yeah.. it's actually really easy to see the green box/SSL certificate if your logging onto something private and something that needs to be secure, like your iCloud account, this isn't a issue on really any browser besides that Chinese browser which I think is called Qihoo or something.
I don't think you quite understand how this works - China flows all traffic through its servers...if a user does not use an encrypted connection with a trusted certificate then the Great Firewall will be able to grab that users credentials. It is a giant phishing scam being orchestrated by the Chinese government.
They can do this with every service in existence. The only way to stop it is to have the browser display a warning that the certificate is invalid, which it does. If the user ignores that then there is nothing they can do.
The same thing is happening to Microsoft Live account logins, and could be applied to any service because they control all the traffic. The only way to truly circumvent it would be if the user set up a VPN outside the country to connect through.
And as for your boring old bank being secure...do you not remember Chase bank getting millions of accounts stolen? Or maybe something more recent would be more applicable. Nothing on the internet is completely secure, groups with enough motive will be able to get their way into any account.
Either trolling or someone who is completely uninformed.
Take a look at something called a man in the middle attack. And then people clicking on something saying that says the certificate is invalid. (Or they are using the Chinese browser that ignores those warnings - Qihoo if reports are correct).
I closed HSBC because their idea of security is:
Please enter the 2nd, 8th, 10th characters of your second password. **** that.
I want Touch ID for my iMac. Stick it on my track pad, keyboard, or even the front panel of the device.
A solution that doesn't work on all Macs and iDevices isn't really a solution.
If you go to a website using a secure connection (https) and the website doesn't provide a correct certificate, Safari will warn you not to proceed. However, you _can_ proceed.
I think it is time for all the browser makers to change this to a system where an incorrect certificate means you can't get to the site. And if your favourite bank or website can't get its act together and provide a correct certificate, then they are dead as far as your browser is concerned.
At least Apple could do this for Apple's sites, or for sites like Facebook, Amazon etc.
I think it is time for all the browser makers to change this to a system where an incorrect certificate means you can't get to the site. And if your favourite bank or website can't get its act together and provide a correct certificate, then they are dead as far as your browser is concerned.
At least Apple could do this for Apple's sites, or for sites like Facebook, Amazon etc.
How does this picture thing help? You're giving the fake site your username and password, which they can forward to the real site. Anything the real site would show you, they can show you, assuming you don't have 2FA enabled.
I don't think people in China trust their state media all that much...
The problem is that this screws over web developers.
The best solution is to throw away the CA system entirely. The Chinese government is a valid certificate authority trusted by Firefox and most other browsers by default, so there's basically nothing stopping them from MITM attacks. You could remove them from your trusted CA list, but that might break a lot of sites that Chinese people need. Worse, non-government CAs can be coerced to provide interception certificates, which would be the same problem on a much bigger scale.
A distributed system like the Perspectives or Convergence methods would be much better. In that scenario, we don't care about the CA; we only care if the cert our browser is presented with is different from everyone else's.
As it is stored on your device all that needs to happen is for your trusted device to authenticate that there is a valid fingerprint being used so there's no need for any actual fingerprint data to be transmitted over the Internet.
According to Apple, Touch ID doesn't store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for your actual fingerprint image to be reverse-engineered from this mathematical representation.