Apple Users Beware: Phishing Attack Exploits Password Reset Feature
Multiple Apple users are being targeted in a sophisticated phishing attack that exploits a potential bug in Apple’s password reset feature.
Endless Approval Requests Bombard Devices
The attack bombards victims with a relentless stream of notifications on their iPhone, Apple Watch, or Mac. These notifications request approval for an Apple ID password change. The attackers hope that the sheer volume of requests will overwhelm the target and lead them to accidentally approve a request, or simply give up and click “Allow” to regain control of their device.
Gaining Access Through Notification Fatigue
If a user approves a request, attackers can change the Apple ID password and lock the victim out of their account. Since the password requests target the Apple ID itself, they appear on all linked devices, rendering them unusable until the notifications are dismissed on each device individually.
Fake Apple Support Calls: A Deceptive Tactic
If the attackers fail to trick the victim into approving a notification, they may resort to phone calls disguised as Apple Support. These calls claim the victim’s account is under attack and attempt to obtain the one-time password sent to the user’s phone during the password reset process.
Leaked Information Fuels the Attack
In one case, the attacker used information leaked from a public website, including the victim’s name, address, and phone number. However, this attempt failed because the attacker used an incorrect name and requested a one-time code, which Apple explicitly states they will never do.
Potential Bug in Apple ID Password Reset Process
Security experts suspect the attack hinges on a vulnerability in Apple’s forgotten Apple ID password page. This page allows users to initiate password recovery using their email address or phone number. While a CAPTCHA security measure is in place, attackers seem to be bypassing a potential rate limit, allowing them to bombard users with an excessive number of reset requests.
How to Protect Yourself
- Always tap “Don’t Allow” on all Apple ID password reset requests you haven’t initiated.
- Remember, Apple will never call you to request one-time password reset codes.
- Be cautious of any unsolicited calls or messages claiming your account is compromised.