did anyone have their icloud password compromised?

Posted on
Thu Sep 25, 2014 8:29 pm
pantalones offline
Posts: 87
Joined: Mar 29, 2012

did anyone have their icloud password compromised?

Both of the accounts we use in Find my iDevices (which are stored in plaintext in the plugin) were hacked today. I'd like to know if any other Find my iDevices plugin users received an email from Apple saying that someone logged into their account on an ipad. Trying to track down the source of this data breach.

Posted on
Thu Sep 25, 2014 8:39 pm
matt (support) offline
Site Admin
User avatar
Posts: 21411
Joined: Jan 27, 2003
Location: Texas

Re: did anyone have their icloud password compromised?

It is my understanding that a lot of the hacked accounts (celebrity photo leaks, etc.) might be because Apple didn't throttle incorrect password attempts. Thus hackers were able to perform brute force password attacks.

Note even having a password with: a few number substitutions, a couple of words together, or having a few random characters is not enough to prevent a brute force attack.

I don't know if that is related to your account compromise at all, just more of a public service reminder that folks should use randomly generated passwords with lots of entropy.

Image

Posted on
Thu Sep 25, 2014 8:59 pm
pvrfan offline
Posts: 53
Joined: Apr 19, 2011
Location: Near Toronto, Canada

Re: did anyone have their icloud password compromised?

Are you SURE the email was from Apple? There are phishing attempts all the time...

Craig

Posted on
Thu Sep 25, 2014 10:29 pm
pantalones offline
Posts: 87
Joined: Mar 29, 2012

Re: did anyone have their icloud password compromised?

Yes 100% positive it was from Apple, it was not phishing (without going into reasons, I know and have verified its authenticity). Both my wife and I had our accounts logged in to within 3 minutes of each other. We were able to change the passwords, but someone else had access to them...somehow. So we're going down the list of things that had both accounts and the FMi plugin is certainly a candidate. It's odd that both of our accounts would have been compromised within minutes without the two addresses being associated/listed near eachother somehow.

Posted on
Thu Sep 25, 2014 10:32 pm
five337 offline
Posts: 52
Joined: Jun 21, 2010

Re: did anyone have their icloud password compromised?

Your accounts were not hacked. It's apple telling you that a device accessed your FIND MY IPHONE profile that is not in your list of trusted devices.

It looks like Apple started this around 5pm PST today. You should get an email from Apple everytime the FMi plugin asks for your location from Apple. It thinks the plug-in is an iPad.

Somehow we have to get the plugin on the list of trusted devices. I've edited the ___INIT___.py file and added my UDID and device type. When I changed the device type, the emails from apple reflected the correct device instead of iPad1,1.
Last edited by five337 on Thu Sep 25, 2014 11:00 pm, edited 1 time in total.

Posted on
Thu Sep 25, 2014 10:52 pm
pantalones offline
Posts: 87
Joined: Mar 29, 2012

Re: did anyone have their icloud password compromised?

Interesting. Thanks. So the only problem is that I did not touch any of my devices, so my assumption was that someone had manually done it (or via script). Do you have any more info on this?

Posted on
Thu Sep 25, 2014 11:06 pm
five337 offline
Posts: 52
Joined: Jun 21, 2010

Re: did anyone have their icloud password compromised?

You didn't need to touch anything. It was the plugin grabbing your location information from a device that apple doesn't think you own or that you "trusted". When the plugin asks apple "where are you" it represents itself to apple as an iPad1,1 with a zero UDID. (That why your email says iPad) So everytime (15mins for me) the plugin asks apple for your location, apple thinks you are logging in from a foreign device and sends you that email.

Apple has really stepped up their game. I like the feature.

Posted on
Fri Sep 26, 2014 6:45 am
autolog offline
Posts: 3988
Joined: Sep 10, 2013
Location: West Sussex, UK [GMT aka UTC]

Re: did anyone have their icloud password compromised?

matt (support) wrote:
... Note even having a password with: a few number substitutions, a couple of words together, or having a few random characters is not enough to prevent a brute force attack.

I don't know if that is related to your account compromise at all, just more of a public service reminder that folks should use randomly generated passwords with lots of entropy.


Thanks for the useful link which makes very interesting reading. :)

Posted on
Fri Sep 26, 2014 7:46 am
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: did anyone have their icloud password compromised?

is there a way to set UDID to something that does not create the emails?

karl

Posted on
Fri Sep 26, 2014 8:51 am
five337 offline
Posts: 52
Joined: Jun 21, 2010

Re: did anyone have their icloud password compromised?

I've changed the init.py file to reflect a trusted UDID and I am still getting the emails. I think apple is looking for something else.

Posted on
Fri Sep 26, 2014 1:17 pm
nlagaros offline
Posts: 1646
Joined: Dec 20, 2010

Re: did anyone have their icloud password compromised?

I changed the deciceIDID, osVersion, and productType. I stopped getting the emails once I restarted be plugin.

Posted on
Fri Sep 26, 2014 1:25 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: did anyone have their icloud password compromised?

where / how do you do it? in the plugin?

Karl

did you change it here?
Code: Select all
    def get_partition(self):
        # TODO: log if debug
        body = json.dumps({
            "clientContext":{
                "appName":"FindMyiPhone",
                "appVersion":"%s" % FMIP_API_ID,
                "buildVersion":"145",
                "deviceUDID":"0000000000000000000000000000000000000000",
                "inactiveTime":2147483647,
                "osVersion":"4.2.1",
                "personID":0,
                "productType":"iPad1,1"

and to what?

Posted on
Fri Sep 26, 2014 1:36 pm
nlagaros offline
Posts: 1646
Joined: Dec 20, 2010

Re: did anyone have their icloud password compromised?

This is exactly right. I have an iPad 3 (old connector) that I have used with FindMyiPhone, so used that UDID (got it from iTunes). osVersion for me is 8.0.2 (updated yesterday), and productType is iPad3,1.

kw123 wrote:
where / how do you do it? in the plugin?

Karl

did you change it here?
Code: Select all
    def get_partition(self):
        # TODO: log if debug
        body = json.dumps({
            "clientContext":{
                "appName":"FindMyiPhone",
                "appVersion":"%s" % FMIP_API_ID,
                "buildVersion":"145",
                "deviceUDID":"0000000000000000000000000000000000000000",
                "inactiveTime":2147483647,
                "osVersion":"4.2.1",
                "personID":0,
                "productType":"iPad1,1"

and to what?

Posted on
Fri Sep 26, 2014 2:08 pm
five337 offline
Posts: 52
Joined: Jun 21, 2010

Re: did anyone have their icloud password compromised?

Thank you ! Even though my iPhone was a "trusted device", I did not have FindMyIphone app installed on it. Once I installed the app, the UDID trick worked. No more emails from apple.

Posted on
Fri Sep 26, 2014 3:36 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: did anyone have their icloud password compromised?

for the dummies amongst us.. how did you get the information UDID, iPad type ...
and I guess it is not necessarily from the target device, but any device that has findmyiphone installed?


thx

Karl

Who is online

Users browsing this forum: No registered users and 2 guests