FB pixel

Hackers may have manipulated Apple biometric security glitch to access iCloud accounts


iphone in use

A security vulnerability detected by Apple in biometric features Touch ID or Face ID in February may have enabled unauthorized access to iCloud accounts, if the modules were used to log in to accounts on Safari, writes The Hacker News. The vulnerability has since been fixed.

How did it work? When trying to login in to a website on Safari by using Apple ID, users authenticate themselves through Touch ID to bypass two-factor authentication with a combination of factors. This is different from the traditional ID and password login to Apple domains, where authentication is handled by an iframe embedded on the website and linked to Apple’s login validation server.

If Touch ID is used, the iframe process changes to support biometric authentication and token retrieval in the login process. “To do this, the daemon communicates with an API on “gsa.apple.com,” to which it sends the details of the request and from which it receives the token,” the publication explains. The flaw was located in the API which enabled domain abuse. The cross-scripting vulnerability could be exploited on any subdomain. The authentication daemon is known as ‘akd.’

“Even though the client_id and redirect_uri were included in the data submitted to it by akd, it did not check that the redirect URI matches the client ID,” said Thijs Alkemade, the security specialist who found the glitch. “Instead, there was only a whitelist applied by AKAppSSOExtension on the domains. All domains ending with apple.com, icloud.com and icloud.com.cn were allowed.”

Another possible attack method would be embedding JavaScript on the website when first connecting to a Wi-Fi source.

“A malicious Wi-Fi network could respond with a page with JavaScript which initiates OAuth as iCloud,” Alkemade wrote in a Tweet. “The user receives a TouchID prompt, but it’s very unclear what it implies. If the user authenticates on that prompt, their session token will be sent to the malicious site, giving the attacker a session for their account on iCloud.”

“By setting up a fake hotspot in a location where users expect to receive a captive portal (for example at an airport, hotel or train station), it would have been possible to gain access to a significant number of iCloud accounts, which would have allowed access to backups of pictures, location of the phone, files and much more,” he added.

A vulnerability in the fingerprint biometric data storage system of OnePlus 7 Pro Android smartphones was reported and patched in April.

Article Topics

 |   |   |   |   | 

Latest Biometrics News


IOM and Japan back biometrics at Sri Lanka ports of entry

Biometric technology use continues to grow at airports around the world. Air transport industry IT provider SITA predicts that by…


The UK’s election may spell out the future of its national ID cards

Identity cards are back among the UK’s top controversial topics – thanks to the upcoming elections and its focus on…


Challenges in face biometrics addressed with new tech and research amid high stakes

Big biometrics contracts and deals were the theme of several of the stories on that drew the most interest from…


Online age verification debates continue in Canada, EU, India

Introducing age verification to protect children online remains a hot topic across the globe: Canada is debating the Online Harms…


Login.gov adds selfie biometrics for May pilot

America’s single-sign on system for government benefits and services, Login.gov, is getting a face biometrics option for enhanced identity verification…


BIPA one step closer to seeing its first major change since 2008 inception

On Thursday, a bipartisan majority in the Illinois Senate approved the first major change to Illinois Biometric Information Privacy Act…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read From This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events