Mat Honan, the former Gizmodo employee who’s personal Twitter account compromise resulted in the temporary hijacking of the tech blog’s Twitter account, has revealed how the hackers managed to do it and, simultaneously, wreak havoc on a number of his other personal accounts.
“In the space of one hour, my entire digital life was destroyed,” he shared with the public. “First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”
Honan has managed to piece together the events with the help of one of the hackers, who contacted him via Twitter, and shed some light on the reasons behind the hack and methods they used.
Amazingly enough, the hijacking of Gizmodo’s Twitter account wasn’t the main goal – it was done as an afterthought. The hackers were after Honan’s account – they liked his three-character Twitter handle (@mat). Hacking into his iCloud account was just a step towards hacking the Twitter account, and the remote wiping of his iPhone, iPad and Macbook was done just because they could and to prevent him to go through the process of reclaiming his accounts.
The hackers didn’t use brute force to enter any of the accounts. Instead, they effected a series of social engineering attacks against a variety of services.
Honan’s Twitter account was linked to his personal website, where his Gmail address was also listed. Guessing that he used that email address for logging into Twitter, they searched for a way to break into that in order to reset the Twitter password.
Unfortunately for him, he hadn’t set up two-factor authentication for his Google account. This allowed the hackers to see the alternate e-mail he had set up for account recovery just by entering his Gmail address into the Google’s account recovery page.
Google didn’t share the entire address, but has given enough for the hackers to discover that Honan had an AppleID account.
Breaking into that account proved easy. By social engineering Amazon’s customer service and misusing the process for adding a new credit card to an account, they added a new one to Honan’s account. Armed with the last 4 digits of the credit card and the Honan’s billing address, they were given entry into his account and access to all the information inside it – including the last 4 digits of his own credit card.
The billing address and these 4 digits were then used to parlay their way into his iCloud account, as it allowed them to bypass the requirement of answering the security questions he set up.
Once they controlled the account and the @me.com address, they went through the password reset process for the Gmail address, which allowed them to finally access it, then start the password reset process for Twitter.
Honan admits that he could have done a number of things to prevent most of this from happening, mainly not tying all those accounts together, setting up to factor authentication for his Google account and the Find My Mac wiping process, and backing up his Macbook regularly. He also says that he knows how lucky he is, and that the damage could be even worse.
Still, he is reasonably upset at the security flaws in Apple’s and Amazon’s customer service systems that allowed this to happen.
“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he writes.
“The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
“In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely,” Natalie Kerris, an Apple spokeswoman, finally offered an official explanation for the NYT. “We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
But given that Wired has on Monday successfully replicated the social engineering attacks the hackers used against Amazon and Apple, it seems that not following its own internal processes is a widespread problem at Apple.