Skip to Main Content

The Cloud Security Lesson Apple Should Have Learned From Gmail

Apple can't stop a malicious hacker once he's broken into your iCloud.

By PCMag Staff
August 7, 2012

After chatting with his alleged hacker, journalist Mat Honan posted the full story of how attackers wiped out his entire digital life—Macbook, iPhone, iPad, Gmail, Twitter, Amazon accounts—late Monday, over at Wired. Honan's narrative really puts it all best, so I encourage you to read it from the source. It involved tricking Amazon's support desk into giving up the last four digits of his credit card and using that to trick Apple into resetting his iCloud account. 

Honan admits to many regrets and lessons learned. But apart from learning to never, ever relying fully on cloud backup ever again (Honan hadn't backed up his files locally), he discovered something surprising about Apple's security practices: Apple can't stop a malicious hacker once he's broken into your iCloud.

While running through his list of regrets, Honan wrote, "Mostly, I shouldn’t have used Find My Mac." Find My Mac is a feature built into OS X 10.7 Lion that lets users remotely locate and wipe their laptops, just like Find My iPhone. But while Find My iPhone is practical, since phones are easily lost, Find My Mac was poorly implemneted:

"When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed," Honan writes. "But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN."  

As soon as a few of us at Security Watch read that, we felt a sense of déjà vu...

Back in June, cloud start-up CloudFlare found its Google Enterprise Apps account hacked (or jacked, as Honan's attackers Vv3 prefer to call it) with some simple social engineering. 

The guilty parties were different, but the methods were similar: in Prince's case, attackers tricked AT&T customer service into reliquinshing his social security number, and Gmail's email recovery was weak, allowing the attackers to reset CloudFlare's Gmail password.

In CloudFlare's case, the attackers bypassed two-factor authentication in Google's enterprise app account by hacking into a secondary email address with information provided by AT&T, and resetting its password. 

The irony here is that in both cases, two security features—two-factor authentication and remote wipe—involved weak account recovery practices and wound up being used against the victims. 

How Google Responded
But unlike Apple, Google disclosed the problem publicly and fixed the loophole right away. CloudFlare CEO Matthew Prince learned how the attackers bypassed Google's 2FA: 

"If an administrator account that was configured to send password reset instructions to a registered secondary email address was successfully recovered, 2-step verification would have been disabled in the process," a Google spokesperson told reporters. "This could have led to abuse if their secondary email account was compromised through some other means. We resolved the issue last week to prevent further abuse."

"Cloud" isn't the problem, it's policy. Gmail learned from its mistake (and we're scratching our heads looking for another consumer cloud that uses two-factor auth); it's high time for others to follow suit.

Fallen Hero Pwnie?
Tangentially related, I think Honan deserves an honorary Pwnie award next year. The comments to his Tumblr blog posts are among the nastiest I've seen. Yes Honan journalist made lots of silly, humiliating security mistakes—which almost cost a year's worth of photos of his young daughter—but now all of us are reaping the benefits of learning from these mistakes. And on that note, be sure to check out Fahmida Rashid's four tips for preventing a similar scenario from happening to you.