Apple's two-step verification system has a major problem

Apple users who think their iCloud data is secure from hackers after turning on Apple's two-step verification security feature may want to think again.

A group of Moscow security researchers were able to find a way around Apple's two-step verification program, allowing them unauthorized access to iCloud data.

While the vulnerability didn't allow the researchers to make unauthorized purchases, it did grant them access to data stored on iCloud. Such access could result in a mass deletion of data stored in iCloud, much like the attack suffered by Wired journalist Matt Honan, who witnessed his entire digital life dissolve before his eyes.

The hackers used a technique called social engineering - which typically implies gaining access to sensitive information by calling tech support - to reset Honan's iCloud password and gain access to his account. From there, they reset the passwords for other online accounts, deleting data along the way. Honan contends that if he had two-factor verification, the hackers would've been limited in their efforts.

Two-factor verification is a security method growing in popularity among larger tech enterprises. Such security systems are designed to prevent hackers from gaining access to data by requiring users to carry a trusted device - say, a cell phone - which can receive a specialized code to use alongside the user's typical password.

As ElcomSoft notes, the problem with Apple's two-step verification is that the system does nothing to protect a user's iCloud and iOS backup data. That data just simply isn't protected by Apple's two-step program. All a hacker needs to do to access this information is an Apple ID and the account's corresponding username.

"This is easy to verify; simply log in to your iCloud account, and you'll have full information to everything stored there without being requested any additional logon information," ElcomSoft CEO Vladimir Katalov said in a company blog post.

It could entirely be that Apple rushed its two-factor verification system out in response to the very public attack on Honan. That or, as Ars Technica notes, Apple could simply be taking the path of user convenience over that of user security.

That would put the company at odds with Google, another tech giant with a two-factor verification program. Google's two-step verification program is far more robust, allowing users to log into their Google accounts through a variety of applications while maintaining tightened security. To do this, Google's two-factor verification system generates application-specific passwords for users to enter in addition to their password, which makes logging in more complicated.

"... Apple's approach in implementing two-factor authorization does not look like a finished product," Katalov said. "It's just not as secure as one would expect this solution to be."

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost

Real Time Analytics