How, knowing only the name and email of the person, the attackers gained access to all his accounts and remotely destroyed the information on all his devices
A very interesting article appeared today at wired.com . Literally in one hour, the author of the article, Math Honan, hacked Amazon, GMail, Apple and Twitter accounts and deleted information on his iPad, iPhone and MacBook. Among other things, he lost all the photos of his daughter since her birth, many documents and most of the correspondence. Very interesting in this story is how the attacker gained access to the Amazon account and AppleID - for this, nothing was needed except the information available on the network and the phone.
The attacker liked Mat’s three-letter Twitter. In order to get him, he conducted a small study, during which he found that Mat’s Twitter account contained a link to his personal website, which, in turn, contained his GMail address. Having a GMail address, the attacker began the password recovery process. Since Mat’s two-step authorization wasn’t enabled, Google provided a kindly obfuscated alternative address on the first password recovery screen: m****n@me.com. By associating this pattern with the gmail address mhonan@gmail.com, the attacker received an Apple email author.
The first thing an attacker needed to get down to the interesting part was Mat’s address, which was easily revealed by the WhoIs service in the information on his personal website. Having the address, the attacker called Amazon and said that he is the owner of the account and wants to add a new credit card. To verify that the attacker is really the account owner, Amazon asked for the address, name and email - all this information was already in the possession of the attacker, and he successfully entered the number of a non-existent credit card previously generated on one of the specialized sites.
Then he called Amazon again and said that he had lost access to his Amazon account. Amazon asked for a name, address, and credit card number. After providing this information (the credit card number added in the previous step came up), the attacker was able to add a new email address to the account for which he had restored the password. In the Amazon account, you can see a list of saved credit cards, where, for security reasons, only the last four digits of the number are shown.
The attacker then calls AppleCare, where he is asked for the name, address, and the last four digits of the credit card, and gives him a temporary password for the .me account. On this account, the attacker recovers the password from GMail, and on GMail, the password from Twitter. Using AppleId, it also removes all information from the iPhone, iPad and MacBook using the Find My Phone and Find My Mac services. The sad end of the story.
Later, Mat contacted Apple, where he was told that in this particular case, the internal regulations were not fully respected, and that Apple takes the safety of users very seriously. Amazon also received a request from Wired, but so far no response has been received.
Today, three days after all this happened, the guys from Wired for a few minutes were able to completely repeat the whole focus twice - from the address and name to access to Amazon and Apple accounts with all the ensuing consequences.
The attacker liked Mat’s three-letter Twitter. In order to get him, he conducted a small study, during which he found that Mat’s Twitter account contained a link to his personal website, which, in turn, contained his GMail address. Having a GMail address, the attacker began the password recovery process. Since Mat’s two-step authorization wasn’t enabled, Google provided a kindly obfuscated alternative address on the first password recovery screen: m****n@me.com. By associating this pattern with the gmail address mhonan@gmail.com, the attacker received an Apple email author.
The first thing an attacker needed to get down to the interesting part was Mat’s address, which was easily revealed by the WhoIs service in the information on his personal website. Having the address, the attacker called Amazon and said that he is the owner of the account and wants to add a new credit card. To verify that the attacker is really the account owner, Amazon asked for the address, name and email - all this information was already in the possession of the attacker, and he successfully entered the number of a non-existent credit card previously generated on one of the specialized sites.
Then he called Amazon again and said that he had lost access to his Amazon account. Amazon asked for a name, address, and credit card number. After providing this information (the credit card number added in the previous step came up), the attacker was able to add a new email address to the account for which he had restored the password. In the Amazon account, you can see a list of saved credit cards, where, for security reasons, only the last four digits of the number are shown.
The attacker then calls AppleCare, where he is asked for the name, address, and the last four digits of the credit card, and gives him a temporary password for the .me account. On this account, the attacker recovers the password from GMail, and on GMail, the password from Twitter. Using AppleId, it also removes all information from the iPhone, iPad and MacBook using the Find My Phone and Find My Mac services. The sad end of the story.
Later, Mat contacted Apple, where he was told that in this particular case, the internal regulations were not fully respected, and that Apple takes the safety of users very seriously. Amazon also received a request from Wired, but so far no response has been received.
Today, three days after all this happened, the guys from Wired for a few minutes were able to completely repeat the whole focus twice - from the address and name to access to Amazon and Apple accounts with all the ensuing consequences.
')
Source: https://habr.com/ru/post/149179/
All Articles