User profile for user: veritas-venator
veritas-venator Author
User level: Level 1
4 points

How is a bad actor able to bypass 2-factor auth on an iCloud account?

I have a friend who has had an AppleId (iCloud) account for many years, used on her iPhone and iMac. The email address tied to that account was an old Yahoo email she rarely used.


Over several years, occasionally her AppleId password would stop working. She'd reset the password and get back to using her iPhone. To be as secure as possible, she finally locked down that old AppleId account as best as we knew how:

  • Created a new email account to associate with that AppleId (and used a brand-new password for that too)
  • Changed this AppleId password to a different, brand-new one
  • Turned on 2-factor auth (MFA) for the AppleId account, and made sure it only had one trust phone number (hers) and no trusted devices
  • Ensure no unexpected contacts are in the "Account Recovery" settings


And yet, within 24 hours, she received 2 emails from Apple (verified to be non-phishing, authentic email) informing her that 1) "Your Apple ID was used to sign in to iCloud via. a web browser", and 2) "Two-factor auth has been turned off for your Apple ID". These were not things she was doing. Also, she never saw an MFA request come to her cell phone, and I believe that should have been required for anyone to log in to iCloud with that old AppleId.


We've spent over 4 hours on the phone with Apple Support personnel, and while they've been polite, they haven't been able to help us solve this one.


The last Senior Advisor showed us that someone had created "login aliases" for this AppleId account, and since my friend confirmed that they were definitely not hers, the advisor said she's work with the engineering team to remove those. Further inspection showed us that at least one of those aliases has been used by this bad actor - they had set up a forwarding rule in the email settings for one alias, so important emails would be sent to a different email address owned by the bad actor.


My friend received an email from Apple today telling her "I have heard back from our engineers about deleting the login aliases. Unfortunately, the account does not qualify to have the login aliases deleted."


We would love to understand:

  • how MFA is being bypassed (on several occasions now) by the bad actor when logging in to her iCloud account
  • how this person is able to reset her password, which is protected by security questions
  • why my friend is unable to delete two login aliases ("Reachable At" email addresses) on her own account


Thanks!

iPhone XR

Posted on May 4, 2023 2:21 PM

Reply
Question marked as Top-ranking reply
User profile for user: veritas-venator
veritas-venator Author
User level: Level 1
4 points

Posted on May 7, 2023 12:39 PM

Latest update from over the weekend:


On Friday my friend handed over the account to me, and changed nearly all of the credentials on AppleId account - everything but the answers to the security questions.


  • Created a new email address with a secure, random password and switched the AppleId to use that
  • Set up a new Google Voice number to be used for the 2FA
  • Made sure no other devices we associated with this account (no devices, no other phone numbers)
  • Reset the AppleId password to a random, secure on
  • Forced logout of all session


Even with all that being done, the bad actor took over the account again today. We received two emails from Apple at the time this happened (in this order):

  1. "Two-factor authentication has been turned off for your Apple ID."
  2. "Your Apple ID was used to sign in to iCloud via a web browser."


After getting access to the account again (and setting 2FA back up) I decided to walk through the steps myself and try to get access to the account without using 2FA - just like this person seems to be doing. I went to https//iforgot.apple.com, filled in the account email address, and on the next page Apple prompts me to confirm the phone number attached to the account. For some reason, when I use this particular AppleId (not my other ones), I see a link below the phone number input that says "Don’t recognize this number?"


If I click on that link, Apple walks me through a process to turn off 2FA. Again, my other AppleIds don't do that, so this might be an 'issue' only with accounts that haven't had 2FA turned on for a few weeks.


When I continued to the follow screens, I was able to turn off 2FA (just like this bad actor seems to be able to do) as long as I can answer the security questions. The odd part is that the answers to these security questions are new (created within the last 2 weeks) and very random, not easy to guess. This leads me to wonder if the device my friend used to create these security answers was compromised. If the bad actor was able to get the answers to those security questions, they would be able to turn off 2FA. In fact, it's the only way I've seen (so far) how to turn it off.


Turn test this theory, I've changed the security answers again (from my own laptop), reset the password again, turned 2FA back on, and triggered the logout of all iCloud sessions.


If they're still able to get back in to this account, I'll be convinced Apple has a significant security hole to patch :)

View in context

Similar questions

4 replies
Question marked as Top-ranking reply
User profile for user: veritas-venator
veritas-venator Author
User level: Level 1
4 points

May 7, 2023 12:39 PM in response to shoeluvr13

Latest update from over the weekend:


On Friday my friend handed over the account to me, and changed nearly all of the credentials on AppleId account - everything but the answers to the security questions.


  • Created a new email address with a secure, random password and switched the AppleId to use that
  • Set up a new Google Voice number to be used for the 2FA
  • Made sure no other devices we associated with this account (no devices, no other phone numbers)
  • Reset the AppleId password to a random, secure on
  • Forced logout of all session


Even with all that being done, the bad actor took over the account again today. We received two emails from Apple at the time this happened (in this order):

  1. "Two-factor authentication has been turned off for your Apple ID."
  2. "Your Apple ID was used to sign in to iCloud via a web browser."


After getting access to the account again (and setting 2FA back up) I decided to walk through the steps myself and try to get access to the account without using 2FA - just like this person seems to be doing. I went to https//iforgot.apple.com, filled in the account email address, and on the next page Apple prompts me to confirm the phone number attached to the account. For some reason, when I use this particular AppleId (not my other ones), I see a link below the phone number input that says "Don’t recognize this number?"


If I click on that link, Apple walks me through a process to turn off 2FA. Again, my other AppleIds don't do that, so this might be an 'issue' only with accounts that haven't had 2FA turned on for a few weeks.


When I continued to the follow screens, I was able to turn off 2FA (just like this bad actor seems to be able to do) as long as I can answer the security questions. The odd part is that the answers to these security questions are new (created within the last 2 weeks) and very random, not easy to guess. This leads me to wonder if the device my friend used to create these security answers was compromised. If the bad actor was able to get the answers to those security questions, they would be able to turn off 2FA. In fact, it's the only way I've seen (so far) how to turn it off.


Turn test this theory, I've changed the security answers again (from my own laptop), reset the password again, turned 2FA back on, and triggered the logout of all iCloud sessions.


If they're still able to get back in to this account, I'll be convinced Apple has a significant security hole to patch :)

Reply
User profile for user: shoeluvr13
shoeluvr13
User level: Level 6
18,643 points

May 4, 2023 3:34 PM in response to veritas-venator

While we are just users like her, we can only give educated guesses at ways it may have happened.


It is/was someone she knows and has physical access to her trusted devices. or There is a trusted device on her account from before two factor authentication was enabled, so once it was turned on that unknown device became a trusted device.


What she needs to do is follow:


  1. Check your Apple ID device list to find where you're signed in - Apple Support
  2. then also go to icloud.com/find and remove any unknown devices from Find My for her Apple ID.
  3. After all suspicious devices are removed she needs to delete any unknown phone numbers listed as trusted phone numbers. On her iPhone, iPad, or iPod touch: Go to Settings > your name > Password & Security. Next to Trusted Phone Number, tap Edit and delete any phone number that is not hers/she did not add.
  4. Lasty, once all the above is done and she is sure no devices or phone numbers are left that she does not trust, she must reset her Apple ID password once more. If asked select to be signed out of the Apple ID on all devices so she only signs back into the devices she knows are hers.
Reply
User profile for user: shoeluvr13
shoeluvr13
User level: Level 6
18,643 points

May 7, 2023 2:00 PM in response to veritas-venator

You’ve done some extensive and great troubleshooting.


it also makes it sound like somebody has physical access to her iPhone, or Mac. On her Mac I would suggest running the free Malwarebytes. https://www.malwarebytes.com/mac


On her iPhone does she have any Profiles installed or has she jailbroken the device? Install or remove configuration profiles on iPhone - Apple Support




Reply
User profile for user: veritas-venator
veritas-venator Author
User level: Level 1
4 points

May 5, 2023 9:02 AM in response to shoeluvr13

@shoeluvr13 thanks very much for being willing to help. The two options you listed (someone with physical access to her device, or another trusted device on account) are certainly the most plausible options, but we've taken steps to eliminate those several days ago:


  • Her phone has been physically secured, and is protected via FaceId and 6-digit PIN.
  • There have been no devices associated with AppleId account for several days now (we've checked per the process in your Step 1). The only ways people seem to be access this account is via web browser, and that doesn't show up in the device list (I just checked again and confirmed that).
  • Same answer for your Step 2. No devices available on "Find My"
  • Regarding Step 3, we've been monitoring the "Trusted Devices" section in her AppleId for over a week now, and the only item showing up there is the phone number for her iPhone (which is now using a different AppleId). No other phone numbers, no devices at all.
  • As for Step 4, we've done this process several times (after walking through the above steps). She did this as recently as two days ago, yet this morning between 4-5 AM someone was able to gain access to her account again.


When my friend noticed that had lost access overnight, we looked at the emails she received from Apple, so see if there was a notice that her password was reset. We didn't see one (which is odd), but we did see these two (from verified Apple email addresses) in this order:

1) 2-factor auth has been turned off

2) Your Apple ID was used to sign in to iCloud via a web browser


At this point we're planning on factory-reseting the phone, under the assumption it might have malware. We have a planned call with an Apple engineer for later today, so we'll see if that solves this first. I'll keep this thread updated.


EDIT:

I should also add, I seems like this same bad actor has tried to log in to an old Yahoo email account last week (the one that was previously used for this compromised AppleId). Yahoo sent a couple notifications about these attempts, and included an IPv6 address. We've verified that address isn't a known VPN or proxy address, and using MaxMind we can determine the ISP (AT&T) and location within an estimated 3 mile radius. This location was 20 miles away from where my friend lives.


My 2-cents: this seems more like a local stalker than an international hacker.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How is a bad actor able to bypass 2-factor auth on an iCloud account?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up