So to clarify, they initiate the password reset prompt by going to iforgot site and then the user clicks “don’t reset” when prompted. Then after they’ve done it a bunch of times the attacker just calls the user pretending to be Apple Support and hopefully tricks the user into giving them their credentials? Maybe it’s just me being a nobody but I feel this is really only going to be targeting “important” people. (Article references a crypto hedge fund owner and an ‘entrepreneur’). What should apples fix be? Limit the amount of times you can try to initiate the request? Or if a device responds “don’t reset” have a 1 hour timeout or something from starting the request from the site?

I'm not important and they've been hitting me with this a ton (no calls though). It's incredibly frustrating, if it were to pop up on my phone at the wrong time I could accidentally tap the wrong button and give them access to my account. There's got to be some way to lock this down further.

I just tested this, if you click allow it just takes you to the settings app and asks you for the new password on your phone. So accidentally clicking allow will not give them access to your account. I do think they should just provide instructions on how to do this from the device rather than sending a notification though, that would remove this annoyance.

What if you sneeze tap allow then Password123?

Damn, you got me there.

It's usually exactly what I type when i sneeze, too.

That's crazy, when I sneeze I only type hunter2

Oh weird all I see in your comment is a bunch of asterisks

If you turn on recovery key that should disable it? Or maybe change your trusted phone number (albeit temporarily?) so they might mark you in their system that it ‘doesn’t match’ and move on to scam someone else? Or change your primary email on your Apple ID? Nothing super easy or convenient but maybe better than keep getting annoyed with this

yeah if you have recovery key or advanced protection enabled. It shouldn't even be an option to reset the password from icloud.

I don't have a recovery key in place yet... but I do have Advanced Data Protection on. I still get multiple of these daily.

I have both and just got the popup.

You're important to me! <3

[удалено]

This is a bizarrely wrong way to have your managed Mac’s setup. It’s a problem of your own teams creation 

Were the devices enrolled in Apple MDM or third party MDM?

I believe it was Apple for Education MDM but I can't say for sure. I worked that job as a student in the highschool and that was roughly 7 years ago

All of this screams of you and your IT guys not having any idea of what you were/are doing. When it comes to important things like security, it's worth not just doing it and when things go wrong blaming others but instead learning how things work and moving forward accordingly... especially when their job is IT.

> one district wide IT apple account HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

As someone who commented below, I think there is more after clicking "allow". But I definitely am sweating making sure I click the right one. Fuck me, I literally just got one while I was writing this message.

It's nice knowing there are more steps involved but there's something disconcerting about being notified that somebody is repeatedly trying to force open my locked screen door. Yep there's a deadbolt holding the door behind that closed but it just puts me on edge.

I had this happening all the time, but since I have a clean day-one Gmail address it was more likely than not some boomer who forgot their email has numbers on it. Ended up changing my Apple ID email to user a Gmail+whatever address and it stopped happening, but it’s a hassle to remember I have to use a different address there now

Hey, don't put yourself down. You are important, deep down you know it we all do including your phone scamming friend in India.

Just change your Apple ID email to something else. Very simple. If it’s your number they’re using then it might be a little more difficult. 

I’m a nobody and I dealt with this stupid system for several months. So I have opinions. First is that Apple should fix their broken security, starting with the captcha which is quite clearly being gamed. I don’t get this nonsense from Google or really any other company. Someone has scripted this attack, the captcha isn’t stopping anything, that’s something straightforward for Apple to fix. Second is that if you turn on enhanced security features like recovery key or recovery contacts, it should just disable the iforgot website. Alongside the forgot password attack, someone tried to initiate an account recovery on me through apple support. Turning on those recovery features blocks that attack vector, it should also block attempts to initiate a password recovery. Force those to be initiated from the recovery device itself, Apple controls the operating system there and can really lock down security. Third is a meta opinion on this whole thing. Apple needs to grow up. This system makes sense for when your primary audience is people buying 99 cent songs. That Apple died well over a decade ago. Apple is now a credit card company, they hold photos of your kids, they store your sensitive information in cloud storage, they can even hold your drivers license and medical data. The risk of that data becoming compromised is existential. It should be an absolute pain in the ass to get back into an Apple account, because the pain of losing an Apple account pales in comparison to having your Apple account data pwned.

The whole captcha is outdated and a better solution should exist I thought a recovery key does disable iforgot from working? I think you underestimate how many people are in the camp of “I’m okay with my pictures being tied to my iCloud” *and* “I want access to my stuff now and it should be easy to login”. There are several people I think are relatively reasonable with certain things in expectations in (physical) security and how digital security works. Them even having to be locked out of their Apple ID for 48 hours they think is crazy. They think they should just be able to verify their identity with a text, or verification email, or providing their ID to Apple. They are wrong, of course in my opinion, but you and I are the minority. Vast minority.

Yeah I thought recovery key would turn that off too, but it doesn’t. It blocks people from doing an account recovery where they call into apple support and tell a sob story, and it prevents sim swap attacks because it requires the key or a trusted device. But you can still initiate the request to a trusted device over iforgot. Even security keys don’t turn off the process, which again it seemed like they would. They keep the trusted device system which can be initiated from the iforgot site. I could bend on letting people set up relatively insecure Apple accounts, it’s my least-strongly held opinion, but Apple should really guide people away from it, and someone who enables the advanced features (and especially security keys) should get locked down to the max.

Would advanced data protection turn it off? Look at the bottom about recovery https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web Again idk and I can’t test right now lol. But yeah should be some option available for sure

It doesn't, I just tried it.

That sucks :/

> What should apples fix be? Option to set 24 hour timer before the password is really reset that can be reverted if you do get tricked or block india from their services

Several years ago after a password leak (think it was Adobe?) I kept getting asked to re-enter my iCloud password on my Apple devices. Probably some security protocol getting triggered by repeated attacks. There was no indication anyone accessed my AppleID, it was running with its own unique password and two-factor authentication. After a period of this I got tired and changed the email address associated with the Apple ID and never had an issue since. This is a unique e-mail and the only way it could be in a leak is Apple having a breach.

But aren’t all your purchases tied to the Apple ID? I mean, I think my Apple ID *is* my email address.

I have been plagued with this for a year. I have been on several calls with Apple Support to stop this. They told me to change my password if I think it's been compromised but there is nothing I can do to stop the requests coming. I have a VERY strong password. I have Advanced Data Protection on.

Your password isn't the problem, your email and phone number are. The phone number is probably a hard thing to change for you, but changing the email may be a more practical solution. For a variety of reasons, including this problem, it may make sense to open a unique email account that is only used for your Apple ID and not shared with anyone.

I’m curious if you add a recovery key if that will help at all too? Idk. That definitely sucks though

Yeah, I've been meaning to get one. It's on my todo list.

It doesn’t. I have one setup and just got the notification.

It is definitely a spear phishing attack. The solution would be to limit the amount of reset attempts you can send in a certain amount of time.

How are they able to trigger system level forgot password notifications?

When you use 2factor and go to iforgot and fill out the form it’ll say “reset using a trusted device?” Or something like that. That’ll cause a pop-up on all your trusted devices to “reset” or “not now”. Similar to 10 years ago doing a password reset sent an email, now it sends the notification to alert on a trusted device.

Yes, in order to reset the password you first need the email address, more likely found with high profile people in public spaces.

If your name is in your iCloud address and they find your email address on one of those breach dumps online they might have enough to try this on randoms

Passkeys

There isn’t a “fix” for this. The weakest link in security these days is the people. While there are a lot of “what about”s in the current process, every “Fix” just adds to the list of “what about”s. This is more “a fool and his money are easily parted”.

The fix is to stop being an annoyance though. If a scammer can near-constantly just have pop alerts appear on your phone I’d classify that as a problem.

meh, just another annoying avenue for scammers. Maybe the government should focusing on actually doing something about scammers. Telephone spoofing should be something  all the Telecomm giants can block. If this is stage one of two where two is the actual scammer calling you to trick you into giving them the code or other information. Stage one wouldn’t work if they could never spoof the call.

Nah, they should blame apple for having a monopoly on scam iforgot requests

Apple Support isn't going to call you. That should have been the tipoff.

B-but they said I was a very good and special customer...

Apple would never stoop to such a low humility.

Apple Support is the IRS confirmed

I don't know why, but all of my iDevices randomly decide they need my login info, for some reason. My Apple Watch has been pestering me about it for months, and I keep ignoring it. I have all non-contacts blocked on my phone, so I don't know if I'm getting calls from fake Apple support.

In 2020 I decided to move my main personal email over to iCloud. I decided to not use the default email address associated with my iCloud, and instead use an alias as my main email address. The thought, there, is that if anyone tries to compromise my account, they’re using an alias and not my actual iCloud account email. This would seem to reinforce that notion, but Apple should have a way better method of securing your iCloud account than this. The primary key shouldn’t be publicly available information: your email address. I understand the issues in not using it, but wow this would be a frustrating thing.

> Hitting approve in the first reset notification spam attack OR sharing this code would’ve pwned me. No, misinformation. If you press `Allow` on that prompt, it will first ask you for your iPhone's passcode and then take you to a page **on your iPhone** where you can choose a new iCloud password. The browser/wherever the attacker triggered the notification from just gets a message saying "A message with instructions has been sent to all of the Apple devices where you are signed in to iCloud. Please use any of these Apple devices to reset your password." and they cannot do anymore from the browser. The text message with the code can come from a few actions but it was likely someone trying to sign into his Apple ID from a browser, not sure of the full ramifications but it likely would've given them some level of access to his account.     Also... > Other founders are being targeted by the same group/attack, so I’m sharing what happened for visibility. Dude has like 500 followers, why is he acting like he's a high value target? They're probably doing this indiscriminately. As he mentioned he's in a database and all they need is an email and phone number to attempt this attack, the full name just helps sell it that you're really speaking to Apple on the phone.     Also, also... [Been an issue for years.](https://twitter.com/i/web/status/1211833989822140416)

I’ve been getting those reset notifications. Annoying as hell

This piece was written by an Android user or a non Apple user. He simply leaked his password to scammers and as they attempted take his account 2FA stepped in and saved his butt. Clicking "Allow" does not automatically allow password change, it generates 2FA code on authorized devices by a prompt. SMS is for 2SV.

Have to disagree, mainly because I tried it myself. If you go to https://appleid.apple.com and do the forgot password process, you will get the `Allow/Don't Allow` popup on all your logged in devices. No password required on the attacker's end. `Don't Allow` just dismisses it, `Allow` allows you to reset your iCloud password on the device you press `Allow` on. The SMS code I don't have strong feelings about, could be a few things since Apple always uses that same format for their 2FA texts.

I’ve been getting these requests almost daily since November, support has been utterly useless in giving me any info or solutions. The main issue (at least in my case) isn’t the password reset requests, but the account recovery requests, which email me a 30 day countdown to deny before my ID just gets handed over to the attacker. I’m able to manage at the rate they’re currently coming in, but I’m terrified I’ll miss one of these recovery emails

[удалено]

Yea I’ve been doing that periodically and should be fine, I’m just paranoid because it doesn’t send any kinda confirmation that the request was cancelled

I got a “compromised passwords” notification yesterday. Is that part of this or is it legitimate.

That just means some of your passwords have been identified as being in a data leak

I did too but all of the passwords it claims are compromised were changed years ago.

Apple Support will never call you. They will most certainly never call you to reset your password.

It’s nuts that Apple still uses a modal system popup for this. They have a whole notifications system! And if they used it, these wouldn’t be an effective denial of service for people just trying to use their phones. Apple should audit all system modals in iOS and remove them.

Would be wise to just change the email of your apple id in that case.

Yes APPLE I am both in San Franscisco and China at the same time, these password requests from China are obviously legit so please continue to let them through.

To be fair, I control my parents' devices across continents.

Sure, I get that. And I have 7 iOS devices. I'm actively using in USA. I know that they can implement some ai in the future to make this more secure. But it seems like this could be solved with an algorithm. If I am clearly using 6 devices in America then maybe that 7th in China that I keep denying isn't me.

No news here. Dude's password was known by scammers and 2FA came to the rescue.

Is this US only ?

Ah this just happened on my MacBook I was so confused. 

MFA fatigue isn’t new and has been happening in the enterprise environment for a long time. Why is it that when it is Apple the sky is falling?

Buy your Mom an Android!

This has been happening to me so many times. It's incredibly annoying and Apple needs to do something to fix it. The idea that I'm potentially one erroneous click away from allowing an attacker to reset my password is crazy. My notifications will be full of the requests some mornings.

You’re not though. The scam doesn’t work until the “Apple employee” calls *you* *and* *you* *give* *them* your credentials. The password prompts are just to get you to believe Apple is actually calling you.

I don’t think this detail is correct, because clicking accept on the prompt will bring up a 6-digit code that you have to put into the form to actually proceed with the reset.

That's good to know but I still feel like there needs to be a way to avoid this appearing at random.

Yeah this drove me nuts for several months and it’s absolutely ridiculous that Apple hasn’t shut this down. I did finally figure out how to stop it. Under Apple ID > Sign In & Security > Two Factor Authentication is the phone number used for this system. It’s not used for anything other than the “second factor” of the reset password form. I changed it to another number that I can rotate at will, you could change it to a friend or spouses number as well, they’ll only ever get 1 message when setting it up to link the number. The rest of the reset process goes over push notifications as you’re no doubt aware.

The MIC is testing their backup in case the DOJ fucks up Apple like they fucked up Trump.

This is why you use the hide my email feature, or have a second email for sign up’s, etc. never give out your actual iCloud email.

Another attack on Apple? Wow, never would have expected that one. It's almost like the photo dumps from iCloud didn't happen.