Honan has written a four-page article for Wired describing how he became aware of the attacks, and what he learned about how they were perpetrated through his conversations with the hacker who did it. And the results are chilling. I had originally assumed the accounts fell to plain old social engineering, when someone tricks the person over the phone into telling them something they shouldn’t. But the hack ended up not involving human error at all—it took advantage of existing flaws in the way the security setup works, and how information from one site can be used to authenticate at another.
For example: anyone who can find out your name, billing address, and e-mail can add a new credit card number to your Amazon account by phone—then he can call back in and use that new credit card number as an authentication factor to change the e-mail on the account and send a password reset. While they couldn’t get access to the complete card numbers already stored on the account, and would probably be asked to re-enter the numbers to verify before they ordered, they could nonetheless see the last four digits—the same digits that Apple uses as an authentication to set a new iCloud password.
And Honan’s email address was scooped by checking for password recovery on Gmail. If you don’t have two-factor authentication enabled, Gmail will show enough of the recovery password to provide a guessable pattern.
And the security holes are all still there. Honan and other Wired reporters tried them out over the course of writing the story, and they still work. They’re inherent in the way the system works, and it’s not clear what, if anything, can be done about them.
Honan admits culpability in not backing his computer up, and linking his cloud accounts together. He reflects that using “Find My Mac” was a mistake because it was what allowed the hackers to wipe his computer remotely. And he suggests it’s a good idea to have a password recovery email that isn’t used for any other purposes and so can’t be used to gain access to accounts like Amazon or iCloud.
But in the end, perhaps the scariest thing is that he didn’t come in for this attention because of anything he’d written or had done. The hackers just wanted to steal his three-character Twitter account, and the only reason they’d wiped his computer was to make it harder for him to get back into it.
So if you buy e-books, or music, or movies, or anything from Amazon, Apple, or Google, be warned. Your accounts might easily be compromised, if anyone has a reason to go after them—or just feels like it.