Security News > 2020 > August > Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts

Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user's iCloud account.
Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple's implementation of TouchID biometric feature that authenticated users to log in to websites on Safari, specifically those that use Apple ID logins.
After the issue was reported to Apple through their responsible disclosure program, the iPhone maker addressed the vulnerability in a server-side update.
Contrast this during logins to Apple domains the usual way with an ID and password, wherein the website embeds an iframe pointing to Apple's login validation server, which handles the authentication process.
Setting Up Fake Hotspots to Take Over iCloud Accounts In a separate scenario, the attack could be executed by embedding JavaScript on the web page that's displayed when connecting to a Wi-Fi network for the first time, thus allowing an attacker access to a user's account by just accepting a TouchID prompt from that page.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/K88FpMmylxc/apple-touchid-sign-in.html
Related news
- US lawmakers press Trump admin to oppose UK's order for Apple iCloud backdoor (source)
- Apple pulls iCloud end-to-end encryption feature in the UK (source)
- Apple Drops iCloud's Advanced Data Protection in the U.K. Amid Encryption Backdoor Demands (source)
- Rather than add a backdoor, Apple decides to kill iCloud encryption for UK peeps (source)
- UK Demanded Apple Add a Backdoor to iCloud (source)
- Protecting your iCloud data after Apple’s Advanced Data Protection removal in the UK (source)