Changing Apple ID Password Using Only a Device and Passcode

Joanna Stern and Nicole Nguyen (tweet, Hacker News, MacRumors):

Using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and their digital lives.

[…]

With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the pass-code can unlock access to all the device’s stored passwords.

[…]

They don’t necessarily account for the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes. Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally designed as a convenience: allowing forgetful customers to use their passcode to reset the Apple account password.

[…]

A similar vulnerability exists in Google’s Android mobile operating system. However, the higher resale value of iPhones makes them a far more common target, according to law-enforcement officials.

Of course, once they have access to the Apple ID, they can just turn off Activation Lock.

Apple recently introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes using only the passcode, and the passcode could even be used to remove security keys from the account.

[…]

Apps such as Apple Photos, iCloud Drive and Google Drive now offer the ability to search text within images and documents. In the Journal’s tests, a search in the Apple Photos app for “SSN” (Social Security number) and “TIN” (taxpayer identification number) immediately produced a photo of a 1099 tax form with Social Security information that had been stored on the phone.

Joe Rossignol:

I’ve been reporting on Apple for over a decade and I didn’t know or long forgot that you can reset an Apple ID password on an iPhone by simply entering the four-digit passcode – no other steps required!

I’ve always seen the iPhone passcode as a weak point, but I had incorrectly assumed I could protect myself by not putting my Apple ID password into the Apple password manager. I had no idea that the device itself would be treated as verification for the purposes of resetting the password.

I’ve also considered whether it makes sense to have my Apple ID use an e-mail account that’s not configured on the iPhone, so that it wouldn’t be so easy to reset the password and then just read the verification e-mail. However, this is tricky because it seems like, if I’ve enabled iCloud Keychain, the Mac will upload my e-mail passwords to the cloud, anyway. I already exclude my key financial passwords from Apple Passwords, but I need my mail passwords to be in the keychain to be able to use Mail. Is there a way to mark certain passwords as not syncable?

Suggestions:

• FaceID needs to improve so that I don’t need to keep typing my passcode in public (even while wearing an Apple Watch!) and so that I don’t feel pressured to pick a short passcode that’s easy to type.

• If it’s not actually failing to recognize my face and is instead doing a periodic verification that I know my passcode, it should do that when it knows I’m at home.

• I would like to be able to protect my passwords with a longer master password.

• There should be an easy way to opt out from resetting Apple ID passwords using only a device and passcode. So far, the best option I’ve seen is to use Screen Time to require an extra password for account changes, but this is obscure.

Previously:

• Security Keys for Apple ID
• Can Thieves Crack 6-Digit iPhone Passcodes?
• Too Secure

Update (2023-02-27): Jeff Johnson:

I’ve heard, but not verified, that Emergency Reset can bypass Screen Time and still change your Apple ID password.

See also: Dave Mark and Adam Engst.

Update (2023-03-01): See also: The Talk Show.

Update (2023-03-02): It turns out that the ability to reset Apple ID passwords using only an iPhone and passcode was added way back in iOS 11. I blogged about it but at the time was more concerned about the related change to iTunes backups.

Gruber and Arment say that the passcode can always be used as a fallback if Face ID fails, that it’s the master key for everything. This is true for system stuff, but third-party apps have a choice. Apps with sensitive data such as banking apps and password managers can choose to only allow access via biometrics. If Face ID fails, you have to enter the app-specific password. I tested this, and it works correctly, which is great. You can reset Face ID using only the passcode, but that does not give you access to the app data formerly protected via Face ID.

But it seems like there’s a loophole. I was able to add an alternate Face ID appearance using only my passcode (while covering the sensor with my finger). So someone with your phone and your passcode could add their own face to Face ID and then use that to get into your password manager. It seems like you can prevent this by adding yourself as an alternate appearance. Then future Face ID changes would require a reset.

Gruber also notes that if someone takes over your Apple ID account in this way you can lose your data if you’re using end-to-end encryption. Even if you’ve saved the recovery keys or have a recovery contact, those can be revoked by whoever controls your account. Then neither you nor Apple can decrypt the data on their servers. Other devices signed into your Apple ID can also be kicked off, though perhaps they retain caches of some of the data.

Previously:

• Advanced Data Protection for iCloud
• iOS 11 Allows Device and PIN to Reset iTunes Backup and Apple ID Passwords

Update (2023-03-03): Dave:

If someone steals your iPhone’s passcode and adds an alternate appearance to Face ID on your iPhone, Face ID will be automatically disabled for 1Password and you will be required to enter your account password to re-enable Face ID the next time that you try to unlock the app.

Bank of America handled that the same way for me, but PasswordWallet did not require my password again. Since it seems like the behavior is app-specific, I still think it’s a good idea to configure your own alternate appearance.

Update (2023-03-14): multigreg (via Accidental Tech Podcast):

I set Screen Time restrictions with a passcode, without the option to remove it using AppleID (tapping ‘Cancel’ & ‘Skip’).

When I try the ‘Forgot passcode’ link, it still guides me through the options to enter my AppleID or device password, or find a forgotten AppleID.

1Password Apple ID Apple Password Manager Bank of America Datacide Face ID iCloud Keychain iOS iOS 16 Passwords PasswordWallet Privacy Screen Time Security Two-Factor Authentication (2FA)

John J. Boyer, RIP

James R. Hagerty:

John J. Boyer, raised on a Minnesota farm family with 12 children, was born blind and lost most of his hearing by the time he was 10 years old.

Kelly Meyerhofer (via Hacker News):

Boyer went on to develop a software program that converts written text into Braille, an invention fueled by childhood frustration over too few Braille textbooks to satisfy his scientific curiosity. His work dramatically expanded educational and employment access for the blind.

[…]

The National Foundation of the Blind supplied Boyer in college with a translator who took lecture notes and signed them into John’s hand. Boyer himself used no notes, relying completely on memory. His textbooks were transcribed into Braille, but there weren’t graphs of any kind, a challenge for a math major. Still, he graduated second in the college’s class of 1961.

Boyer struggled to find a job out of school. To expand his skillset, he designed his own hearing aid and trained a golden retriever, Sugar, to be his guide dog. He landed some computer programming jobs in Ohio and later at the University of Wisconsin-Parkside.

[…]

Boyer developed Liblouis, which translates text into Braille, as a free, open-source software for anyone to use. He also helped develop BrailleBlaster, which translates maps, graphics and math formulas into a format accessible to blind people.

gregfjohnson:

John and I were in graduate school together (computer science, U Wisconsin - Madison). He was indeed a remarkable person. He was blind and deaf. He carried around a little mechanical Braille typewriter. To talk with John, you would type, and he would extend his hand into the device and feel the Braille impressions of what you were typing.

Previously:

• The Hidden History of Screen Readers
• Apple Accessibility Feature Preview
• Apple and the Blind
• iOS 8 Accessibility Regressions

Accessibility Open Source Programming Rest in Peace

Mammoth 1.0.2

Filipe Espósito:

And now iOS and macOS users will have another great third-party option for accessing the social network from their devices with Mammoth, a new free client for Mastodon.

[…]

Unsurprisingly, those who have used Aviary in the past will feel quite familiar with Mammoth.

One of the main features of Mammoth is its multi-column based interface for iPad and Mac. Users can see their timeline, mentions, likes, private messages, bookmarks, and profile all on the same screen with just a scroll. The columns are customizable so that you have quick access to all the information you need.

It’s an iOS app that’s allowed to run on Apple Silicon Macs, but the developer has not verified it.

Previously:

• The Making of Ice Cubes
• Ivory 1.0

Update (2023-02-27): Shihab Mehboob:

This first App Store release is just the beginning though. We have a big appetite to make Mammoth a beautiful Mastodon app for the rest of us. We’re a small startup team with a long history in the indie dev community, deeply steeped in Apple culture, open source, and building apps used by hundreds of millions. Our focus is on the end-to-end user experience we can offer as we combine Mammoth with our Moth.social server and backend work, all fully open source and building on what makes the fediverse special. And if you just want to use Mammoth with your favorite server, that should still be an awesome experience. We’re here to help the next one hundred million users join the Mastodon community. Read all about our vision here.

Bart Decrem:

A few folks have asked about our business model, our investors and why we boldly can state that Mammoth will always be free.

We have mostly decided that there will be a subscription version of Mammoth & moth.social. However, we have not yet figured out the details, and we care about the details. For example, we love the part of Mastodon culture where folks are encouraged to make a donation to their server team to help cover server costs, and we’d like that to be a significant part of our subscription system (supporting servers beyond moth.social, that is), but that comes with legal issues, App Store TOS issues etc.

Bart Decrem (via Colin Devroe):

I am pleased to announce that Mozilla is our principal investor.

iOS iOS 16 iOS App iOS Apps on macOS iPadOS iPadOS 16 Mac Mac App macOS 13 Ventura Mastodon Mozilla

KextViewr 2.0

Objective-See:

KextViewr is a utility with a simply goal; display all currently loaded kernel modules (or “kexts”). While Apple’s commandline tool kmutil can provide similar information, it’s nice to have a UI version, with filter, search, and export capabilities.

[…]

The displayed kernel extensions can be filtered using the ‘Filter Kexts’ search box, found at the top right corner of the app. Simply begin typing to filter all tasks based on their names, paths, etc. For example, typing ‘BSD’ will show only modules that contain ‘BSD’ in their name or path. KextViewr also contains special ‘hash-tag’ filters that can filter modules based on concepts such as “only system modules” (#apple) or “all non-Apple (3rd-party) modules” (#nonapple).

The new version includes an interface refresh and compatibility with newer versions of macOS.

Update (2023-02-27): Corentin Cras-Méneur:

YA great app! I used it on older Mac many times over to track old, legacy extensions that has been installed and long forgotten to get rid of them and regain some sanity!

Kernel Extensions Mac Mac App macOS 11.0 Big Sur macOS 13 Ventura Open Source