Hackers may have manipulated Apple biometric security glitch to access iCloud accounts

A security vulnerability detected by Apple in biometric features Touch ID or Face ID in February may have enabled unauthorized access to iCloud accounts, if the modules were used to log in to accounts on Safari, writes The Hacker News. The vulnerability has since been fixed.

How did it work? When trying to login in to a website on Safari by using Apple ID, users authenticate themselves through Touch ID to bypass two-factor authentication with a combination of factors. This is different from the traditional ID and password login to Apple domains, where authentication is handled by an iframe embedded on the website and linked to Apple’s login validation server.

If Touch ID is used, the iframe process changes to support biometric authentication and token retrieval in the login process. “To do this, the daemon communicates with an API on “gsa.apple.com,” to which it sends the details of the request and from which it receives the token,” the publication explains. The flaw was located in the API which enabled domain abuse. The cross-scripting vulnerability could be exploited on any subdomain. The authentication daemon is known as ‘akd.’

“Even though the client_id and redirect_uri were included in the data submitted to it by akd, it did not check that the redirect URI matches the client ID,” said Thijs Alkemade, the security specialist who found the glitch. “Instead, there was only a whitelist applied by AKAppSSOExtension on the domains. All domains ending with apple.com, icloud.com and icloud.com.cn were allowed.”

Another possible attack method would be embedding JavaScript on the website when first connecting to a Wi-Fi source.

“A malicious Wi-Fi network could respond with a page with JavaScript which initiates OAuth as iCloud,” Alkemade wrote in a Tweet. “The user receives a TouchID prompt, but it’s very unclear what it implies. If the user authenticates on that prompt, their session token will be sent to the malicious site, giving the attacker a session for their account on iCloud.”

“By setting up a fake hotspot in a location where users expect to receive a captive portal (for example at an airport, hotel or train station), it would have been possible to gain access to a significant number of iCloud accounts, which would have allowed access to backups of pictures, location of the phone, files and much more,” he added.

A vulnerability in the fingerprint biometric data storage system of OnePlus 7 Pro Android smartphones was reported and patched in April.

Article Topics

access management  |  Apple  |  authentication  |  biometrics  |  Face ID  |  Touch ID