{"id":969,"date":"2020-08-06T04:01:47","date_gmt":"2020-08-06T03:01:47","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=969"},"modified":"2020-08-06T04:01:47","modified_gmt":"2020-08-06T03:01:47","slug":"apple-touch-id-flaw-let-attackers-hijack-icloud-accounts","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/apple-touch-id-flaw-let-attackers-hijack-icloud-accounts\/","title":{"rendered":"Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts"},"content":{"rendered":"

Hijack iCloud Accounts- Apple earlier this year fixed a security vulnerability in iOS and macOS<\/p>\n

that could have potentially allowed an attacker to gain unauthorized access to a user’s iCloud account. Hijack iCloud Accounts<\/p>\n

Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest,<\/p>\n

the flaw resided in Apple’s implementation of TouchID (or FaceID)<\/p>\n

biometric feature that authenticated users to log in to websites on Safari, specifically those that use ID logins.<\/p>\n

After the issue was reported to Apple through their responsible disclosure program, the iPhone maker addressed the vulnerability in a server-side update.<\/p>\n

An Authentication Flaw – Hijack iCloud Accounts<\/h2>\n

The central premise of the flaw is as follows. When users try to sign in to a website that requires an ID,<\/p>\n

a prompt is displayed to authenticate the login using Touch ID. Hijack iCloud Accounts<\/p>\n

Doing so skips the two-factor authentication step since it already leverages a\u00a0combination of factors\u00a0for identification,<\/p>\n

such as the device (something you have) and the biometric information (something you are).<\/p>\n

Contrast this during logins to Apple domains (e.g. “icloud.com”) the usual way with an ID and password,<\/div>\n
wherein<\/div>\n
the website embeds an iframe pointing to Apple’s login validation server (“https:\/\/idmsa.apple.com”), which handles the authentication process.<\/p>\n
\n
\"Hijack<\/a>
Hijack iCloud Accounts<\/figcaption><\/figure>\n<\/div>\n

As shown in the\u00a0video demonstration, the iframe URL also contains two other parameters<\/p><\/div>\n

\u2014 a “client_id” identifying the service (e.g., iCloud) and a “redirect_uri” that has the URL to be redirected to after successful verification.<\/p>\n

But in the case where a user is validated using TouchID, the iframe is handled differently in that it communicates with the AuthKit daemon<\/p><\/div>\n

(akd) to handle the biometric authentication and subsequently retrieve a token (“grant_code”)<\/div>\n
that’s used by the icloud.com page to continue the login process. Hijack iCloud Accounts<\/p>\n

To do this, the daemon communicates with an API on “gsa.apple.com,”<\/p><\/div>\n

to which it sends the details of the request and from which it receives the token. Hijack iCloud Accounts<\/p>\n
<\/p>\n
<\/div>\n

<\/center><\/div>\n<\/div>\n

The security flaw discovered by Computest resides in the aforementioned gsa.apple.com API, which made it theoretically possible to abuse those domains to verify a client ID without authentication.<\/p>\n

“Even though the client_id and redirect_uri were included in the data submitted to it by akd,<\/p><\/div>\n

it did not check that the redirect URI matches the client ID,”<\/div>\n
Alkemade noted. “Instead, there was only a whitelist applied by AKAppSSOExtension on the domains.<\/div>\n
All domains ending with apple.com, icloud.com and icloud.com.cn were allowed.” Hijack iCloud Accounts<\/p>\n
\n
\"Hijack<\/a>
Hijack iCloud Accounts<\/figcaption><\/figure>\n<\/div>\n

This means that an attacker could exploit a cross-site scripting vulnerability on any one of Apple’s subdomains to run a malicious snippet<\/p><\/div>\n

of JavaScript code that can trigger a login prompt using the iCloud client ID, and use the grant token to obtain a session on icloud.com.<\/p>\n

Apple Setting Up Fake Hotspots to Take Over iCloud Accounts<\/h2>\n

In a separate scenario, the attack could be executed by embedding JavaScript on the\u00a0web page<\/a>\u00a0that’s displayed when connecting to a<\/div>\n

Wi-Fi network for the first time (via “captive.apple.com”), thus allowing an attacker access to a user’s account by just accepting a TouchID prompt from that page.<\/p>\n

“A malicious Wi-Fi network could respond with a page with JavaScript which initiates OAuth as iCloud,”<\/p><\/div>\n

<\/div>\n
\u00a0Alkemade said<\/a>. “The user receives a TouchID prompt, but it’s very unclear what it implies.<\/div>\n
<\/div>\n
If the user authenticates on that prompt, their session token will be sent to the malicious site, giving the attacker a session for their account on iCloud.”<\/p>\n

“By setting up a fake hotspot in a location where users expect to receive a captive portal (for example at an airport, hotel or train station),<\/p><\/div>\n

<\/div>\n
it would have been possible to gain access to a significant number of iCloud accounts,<\/div>\n
<\/div>\n
which would have allowed access to backups of pictures, location of the phone, files, and much more,” he added.<\/p>\n

This is not the first time security issues have been found in Apple’s authentication infrastructure. In May,\u00a0Apple patched a flaw<\/a>\u00a0impacting its<\/div>\n

<\/div>\n
“Sign in with Apple” system that could have made it possible for remote attackers to bypass authentication and take over targeted users’<\/div>\n
<\/div>\n
accounts on third-party services and apps that have been registered using Apple’s sign-in option.<\/div>\n
<\/div>\n
You May also like to read: http:\/\/zerothcode.com\/blog\/unc0ver-advanced-jailbreak-iphone-hack\/<\/a><\/div>\n
<\/div>\n
You May also like to read: http:\/\/zerothcode.com\/blog\/visiting-site-can-hack-iphone\/<\/a><\/div>\n
<\/div>\n","protected":false},"excerpt":{"rendered":"

Hijack iCloud Accounts- Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed<\/p>\n","protected":false},"author":1,"featured_media":970,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[238,1565,1571,303,1559,494,391,1566,1569,352,1574,1573,1572,1558,1567,1555,1570,260,1568,861],"class_list":["post-969","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=969"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/969\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/970"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=969"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}