Archive for February 27, 2023

Monday, February 27, 2023

Changing Apple ID Password Using Only a Device and Passcode

Joanna Stern and Nicole Nguyen (tweet, Hacker News, MacRumors):

Using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and their digital lives.

[…]

With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the pass-code can unlock access to all the device’s stored passwords.

[…]

They don’t necessarily account for the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes. Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally designed as a convenience: allowing forgetful customers to use their passcode to reset the Apple account password.

[…]

A similar vulnerability exists in Google’s Android mobile operating system. However, the higher resale value of iPhones makes them a far more common target, according to law-enforcement officials.

Of course, once they have access to the Apple ID, they can just turn off Activation Lock.

Apple recently introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes using only the passcode, and the passcode could even be used to remove security keys from the account.

[…]

Apps such as Apple Photos, iCloud Drive and Google Drive now offer the ability to search text within images and documents. In the Journal’s tests, a search in the Apple Photos app for “SSN” (Social Security number) and “TIN” (taxpayer identification number) immediately produced a photo of a 1099 tax form with Social Security information that had been stored on the phone.

Joe Rossignol:

I’ve been reporting on Apple for over a decade and I didn’t know or long forgot that you can reset an Apple ID password on an iPhone by simply entering the four-digit passcode – no other steps required!

I’ve always seen the iPhone passcode as a weak point, but I had incorrectly assumed I could protect myself by not putting my Apple ID password into the Apple password manager. I had no idea that the device itself would be treated as verification for the purposes of resetting the password.

I’ve also considered whether it makes sense to have my Apple ID use an e-mail account that’s not configured on the iPhone, so that it wouldn’t be so easy to reset the password and then just read the verification e-mail. However, this is tricky because it seems like, if I’ve enabled iCloud Keychain, the Mac will upload my e-mail passwords to the cloud, anyway. I already exclude my key financial passwords from Apple Passwords, but I need my mail passwords to be in the keychain to be able to use Mail. Is there a way to mark certain passwords as not syncable?

Suggestions:

Previously:

Update (2023-02-27): Jeff Johnson:

I’ve heard, but not verified, that Emergency Reset can bypass Screen Time and still change your Apple ID password.

See also: Dave Mark and Adam Engst.

Update (2023-03-01): See also: The Talk Show.

Update (2023-03-02): It turns out that the ability to reset Apple ID passwords using only an iPhone and passcode was added way back in iOS 11. I blogged about it but at the time was more concerned about the related change to iTunes backups.

Gruber and Arment say that the passcode can always be used as a fallback if Face ID fails, that it’s the master key for everything. This is true for system stuff, but third-party apps have a choice. Apps with sensitive data such as banking apps and password managers can choose to only allow access via biometrics. If Face ID fails, you have to enter the app-specific password. I tested this, and it works correctly, which is great. You can reset Face ID using only the passcode, but that does not give you access to the app data formerly protected via Face ID.

But it seems like there’s a loophole. I was able to add an alternate Face ID appearance using only my passcode (while covering the sensor with my finger). So someone with your phone and your passcode could add their own face to Face ID and then use that to get into your password manager. It seems like you can prevent this by adding yourself as an alternate appearance. Then future Face ID changes would require a reset.

Gruber also notes that if someone takes over your Apple ID account in this way you can lose your data if you’re using end-to-end encryption. Even if you’ve saved the recovery keys or have a recovery contact, those can be revoked by whoever controls your account. Then neither you nor Apple can decrypt the data on their servers. Other devices signed into your Apple ID can also be kicked off, though perhaps they retain caches of some of the data.

Previously:

Update (2023-03-03): Dave:

If someone steals your iPhone’s passcode and adds an alternate appearance to Face ID on your iPhone, Face ID will be automatically disabled for 1Password and you will be required to enter your account password to re-enable Face ID the next time that you try to unlock the app.

Bank of America handled that the same way for me, but PasswordWallet did not require my password again. Since it seems like the behavior is app-specific, I still think it’s a good idea to configure your own alternate appearance.

Update (2023-03-14): multigreg (via Accidental Tech Podcast):

I set Screen Time restrictions with a passcode, without the option to remove it using AppleID (tapping ‘Cancel’ & ‘Skip’).

When I try the ‘Forgot passcode’ link, it still guides me through the options to enter my AppleID or device password, or find a forgotten AppleID.

John J. Boyer, RIP

James R. Hagerty:

John J. Boyer, raised on a Minnesota farm family with 12 children, was born blind and lost most of his hearing by the time he was 10 years old.

Kelly Meyerhofer (via Hacker News):

Boyer went on to develop a software program that converts written text into Braille, an invention fueled by childhood frustration over too few Braille textbooks to satisfy his scientific curiosity. His work dramatically expanded educational and employment access for the blind.

[…]

The National Foundation of the Blind supplied Boyer in college with a translator who took lecture notes and signed them into John’s hand. Boyer himself used no notes, relying completely on memory. His textbooks were transcribed into Braille, but there weren’t graphs of any kind, a challenge for a math major. Still, he graduated second in the college’s class of 1961.

Boyer struggled to find a job out of school. To expand his skillset, he designed his own hearing aid and trained a golden retriever, Sugar, to be his guide dog. He landed some computer programming jobs in Ohio and later at the University of Wisconsin-Parkside.

[…]

Boyer developed Liblouis, which translates text into Braille, as a free, open-source software for anyone to use. He also helped develop BrailleBlaster, which translates maps, graphics and math formulas into a format accessible to blind people.

gregfjohnson:

John and I were in graduate school together (computer science, U Wisconsin - Madison). He was indeed a remarkable person. He was blind and deaf. He carried around a little mechanical Braille typewriter. To talk with John, you would type, and he would extend his hand into the device and feel the Braille impressions of what you were typing.

Previously:

Mammoth 1.0.2

Filipe Espósito:

And now iOS and macOS users will have another great third-party option for accessing the social network from their devices with Mammoth, a new free client for Mastodon.

[…]

Unsurprisingly, those who have used Aviary in the past will feel quite familiar with Mammoth.

One of the main features of Mammoth is its multi-column based interface for iPad and Mac. Users can see their timeline, mentions, likes, private messages, bookmarks, and profile all on the same screen with just a scroll. The columns are customizable so that you have quick access to all the information you need.

It’s an iOS app that’s allowed to run on Apple Silicon Macs, but the developer has not verified it.

Previously:

Update (2023-02-27): Shihab Mehboob:

This first App Store release is just the beginning though. We have a big appetite to make Mammoth a beautiful Mastodon app for the rest of us. We’re a small startup team with a long history in the indie dev community, deeply steeped in Apple culture, open source, and building apps used by hundreds of millions. Our focus is on the end-to-end user experience we can offer as we combine Mammoth with our Moth.social server and backend work, all fully open source and building on what makes the fediverse special. And if you just want to use Mammoth with your favorite server, that should still be an awesome experience. We’re here to help the next one hundred million users join the Mastodon community. Read all about our vision here.

Bart Decrem:

A few folks have asked about our business model, our investors and why we boldly can state that Mammoth will always be free.

We have mostly decided that there will be a subscription version of Mammoth & moth.social. However, we have not yet figured out the details, and we care about the details. For example, we love the part of Mastodon culture where folks are encouraged to make a donation to their server team to help cover server costs, and we’d like that to be a significant part of our subscription system (supporting servers beyond moth.social, that is), but that comes with legal issues, App Store TOS issues etc.

Bart Decrem (via Colin Devroe):

I am pleased to announce that Mozilla is our principal investor.

KextViewr 2.0

Objective-See:

KextViewr is a utility with a simply goal; display all currently loaded kernel modules (or “kexts”). While Apple’s commandline tool kmutil can provide similar information, it’s nice to have a UI version, with filter, search, and export capabilities.

[…]

The displayed kernel extensions can be filtered using the ‘Filter Kexts’ search box, found at the top right corner of the app. Simply begin typing to filter all tasks based on their names, paths, etc. For example, typing ‘BSD’ will show only modules that contain ‘BSD’ in their name or path. KextViewr also contains special ‘hash-tag’ filters that can filter modules based on concepts such as “only system modules” (#apple) or “all non-Apple (3rd-party) modules” (#nonapple).

The new version includes an interface refresh and compatibility with newer versions of macOS.

Update (2023-02-27): Corentin Cras-Méneur:

YA great app! I used it on older Mac many times over to track old, legacy extensions that has been installed and long forgotten to get rid of them and regain some sanity!