Security vulnerability in Apple ID / iCloud Mail allowing account lockout attacks!

Hi Cativeiro46

welcome to this Apple (user-to-user) Community :-)

Re: "Security vulnerability in Apple ID / iCloud Mail allowing account lockout attacks! Dear Apple Security Team,..."

As we are all Apple users, like yourself, in this community, Apple is very unlikely to see your report here. ie: Apple is just not here.

(ie: Some of us volunteer to help each other troubleshoot.)

Apple support provides guidance that will likely help in an article online (link below).

See how to: Report a security or privacy vulnerability

rom.ph wrote:

out of curiosity - how does the attacker bypass the second factor?

There is no Two Factor Authentication if Security Questions are present. That is why Apple has recommended all users switch to 2FA and any new account created in the last several years requires the use of 2FA. The use of Security Questions have long ago been considered a security risk due to the amount of information easily gained on the internet, so 2FA does not use them at all.

Enable two-factor authentication.

Two-factor authentication eliminates the security questions, and provides a last recourse against account compromises including compromised passwords and compromised security questions, and from phishing.

if your Apple Account is compromised, it is gone. Changing the email is something the (new) account owner can do, of course. The folks that are performing these account take-overs using credentials stuffing attacks are automating this against multiple online services, including against Apple Accounts. And two-factor provides a defense against these.

If your account is at particular risk, consider switching to hardware security keys (tokens), and enabling a recovery key

Suggestions for better securing your data and your account: https://discussions.apple.com/docs/DOC-250009089

"Security vulnerability in Apple ID / iCloud Mail allowing account lockout attacks!: [...]Unfortunately, I personally became a victim of this issue.[...]"

-------

Report this Scam to Apple and Others:

Along with provided feedback, I would recommend you report this to Apple and others, such as you local and federal agencies. By taking screenshots, you can obtain the contents from the screenshot by opening it in the Photos app, and then highlighting contents to copy & pates in in the corresponding items (i.e. date). Use my User Tip: Using the Photos App to Report Scams: - User Tip

rom.ph wrote:

I thought that Apple enforces it on all accounts by now. :)

Most new Apple Accounts are created with two-factor authentication enabled at creation, but existing accounts of a certain age didn’t have it enabled at creation, and may not still, and can enable it at the discretion of the account holder.

If there are security questions, then two-factor authentication was not enabled.

Two-factor authentication eliminates the security questions, once it has been enabled for two weeks.

There is another thread about somebody reporting two-factor authentication enabled and getting security question failure reports vis email, and I’d encouraged them to discuss that directly with Apple Support. That case shouldn’t happen. Whether it is a flaw in the Apple systems, or is somebody spoofing the security question messages, or something else entirely?

out of curiosity - how does the attacker bypass the second factor?

I thought that Apple enforces it on all accounts by now. :)