Защита Apple ID от взлома, или как отличать настоящие письма Apple от фейковых
На днях, на наш редакторский E-mail, который является Apple ID, пришло письмо якобы от Apple, в котором сообщается, что нами совершена покупка приложения, стоимостью $21. В письме сказано, что “если вы не совершали эту покупку, то ее можно отменить по этой ссылке…, если ничего не предпринять, то деньги спишутся”.
Подобные письма мы получаем очень часто и с улыбкой удаляем их. Для чего мошенники рассылают такие письма, и как распознать фальшивое сообщение мы расскажем ниже.
Расчет мошенников прост – как только пользователь видит, что с него вот-вот начнут снимать рубли, евро или доллары, он сразу же пойдёт разбираться. В письме есть и специальная ссылка для отмены заказа (подписки).
После перехода по ней пользователь оказывается на поддельном сайте, который внешне выглядит как страничка App Store. На нём есть форма приема данных о кредитной карте – её нужно заполнить для того, чтобы не допустить списания денег.
В реальности, конечно, происходит прямо противоположный процесс – деньги вам не вернут, а заберут.
При этом, купертиновцы напоминают, что сотрудники фирменного магазина приложений App Store ни при каких обстоятельствах не будут запрашивать у вас личную информацию и платежные данные.
Кстати, у Apple есть отличная инструкция о том, как отличить реальное письмо из компании от фишингового. Прочитать её полностью можно здесь, ключевые положения приводятся ниже:
- Проверьте адрес, с которого пришло письмо.
Ниже приведен перечень действительных электронных адресов Apple, по ссылкам из которых переходить безопасно:
Https //idmsa apple com login
На странице своей учетной записи Apple ID вы можете обновить имя пользователя, пароль и платежную информацию.
Забыли пароль?
Если вы не можете вспомнить свой пароль Apple ID, вы можете сбросить его и восстановить доступ к своей учетной записи.
Найдите свой Apple ID
Если вы забыли свой идентификатор Apple ID или не уверены, что он у вас есть, есть несколько способов его найти.
Узнайте больше о компании Apple ID
Сохраняйте свои настройки и службы Apple services в актуальном состоянии на всех ваших устройствах. Просто войдите в систему с тем же идентификатором Apple ID везде.
Защитите свой аккаунт
Apple очень серьезно относится к безопасности вашей личной информации. Чтобы защитить свой идентификатор Apple ID, см. раздел предотвращение несанкционированных входов в систему.
Поделиться с семьей
Семейный доступ позволяет обмениваться покупками и подписками Apple с семьей. Поделитесь такими вещами, как хранилище iCloud, покупки iTunes & App Store, информация о местоположении и т.д
У вас есть вопрос? Попросить всех.
Члены нашего сообщества поддержки Apple могут помочь ответить на ваш вопрос. Или, если кто-то уже спросил, Вы можете искать лучший ответ.
How to Hack Apple ID
Everyone knows what’s inside a computer isn’t really real. It pretends to be, sure, hiding just under the pixels — but I promise you it isn’t.
In the real world, everything has a certain mooring we’re all attuned to. You put money in a big strong safe, and, most likely if somehow it opens there will be a big sound, and a big hole. Everything has a footprint, everything has a size, there are always side-effects.
As the electrons wiggle, they’re expressing all these abstract ideas someone thought up sometime. Someone had an idea of how they’d dance, but that’s not always true. Instead, there are half-formed ideas, ideas that change context and meaning when exposed to others, and ideas that never really quite made sense.
The Alice in Wonderland secret of computers is that the dancers and their music are really the same. It’s easy to mistakenly believe that each word I type is shuffled by our pixie friends along predefined chutes and conveyors to make what we see on screen, when in reality each letter is just a few blits and bloops away from being something else entirely.
Sometimes, if you’re careful, you can make all those little blits and bloops line up in a way that makes the dance change, and that’s why I’ve always loved hacking computers: all those little pieces that were never meant to be put together that way align in unintended but beautiful order. Each individual idea unwittingly becomes part of a greater and irrefutable whole.
Before the pandemic, I spent a lot of time researching the way web of YouTube, Wikipedia and Twitter meets the other world of Word, Photoshop and Excel to produce Discord, 1Password, Spotify, iTunes, Battle.net and Slack. Here all the wonderful and admittedly very pointy and sharp benefits of the web meet the somewhat softer underbelly of the ‘Desktop Application’, the consequences of which I summarised one sunny day in Miami.
I’m not really a very good security researcher, so little of my work sees the light of day because the words don’t always form up in the right order, but my experience then filled me with excitement to publish more. And so, sitting again under the fronds of that tumtum tree, I found more — and I promise you what I found then was as exciting as what I’ll tell you about now.
But I can’t tell you about those. Perhaps naïve, it didn’t occur to me before that the money companies give you for your security research is hush money, but I know that now — and I knew that then, when I set out to hack Apple ID.
At the time, Apple didn’t have any formal way of paying you for bugs: you just emailed them, and hoped for the best. Maybe you’d get something, maybe you wouldn’t — but there is certainly nothing legally binding about sending an email in the way submitting a report to HackerOne is. That appealed to me.
Part 1: The Doorman’s Secret
Computer systems don’t tend to just trust each other, especially on the web. The times they do usually end up being mistakes.
Let me ask you this: when you sign into Google, do you expect it to know what you watched on Netflix? Of course not.
That’s down to a basic rule of the web: different websites don’t default to sharing information to each other.
ICloud, then is a bit of a curiosity. It has its own domain, icloud.com, entirely separate from Apple’s usual apple.com yet its core feature is of course logging into your Apple iCloud account. More interestingly still, you might notice that most login systems for, say, Google, redirect you through a common login domain like accounts.google.com, but iCloud’s doesn’t.
Behind the looking-glass, Apple has made this work by having iCloud include a webpage that is located on the AppleID server, idmsa.apple.com. The page is located at this address:
Here, Apple is using OAuth 2, a capability based authentication framework. ‘Capability based’ is key here, because it means that a login from Apple.com doesn’t necessarily equate to one from iCloud.com, and also not all iCloud logins are necessarily the same either — that’s how Find My manages to skip a second-factor check to find your phone. This allows Apple to (to some extent) reduce the blast radius of security issues that might otherwise touch iCloud.
This is modified, however, to allow the login to work embedded in another page. response_mode=web_message seems to be a switch that turns this on.
If you visit the address, you’ll notice the page is just blank. This is for good reason: if anyone could just show the Apple iCloud login page then you could play around with the presentation of the login page to steal Apple user data (‘Redress Attack’). Apple’s code is detecting that it’s not being put in the right place and blanks out the page.
In typical OAuth, the ‘redirect_uri’ specifies where the access is being sent to; in a normal, secure form, the redirect uri gets checked against what’s registered for the other, ‘client_id’ parameter to make sure that it’s safe for Apple to send the special keys that grant access there — but here, there’s no redirect that would cause that. In this case the redirect_uri parameter is being used for a different purpose: to specify the domain that can embed the login page.
In a twist of fate, this one fell prey to a similar bug to the one from how to hack the uk tax system, i guess, which is that web addresses are extraordinarily hard to compare safely.
Necessarily, something like this parameter must pass through several software systems, which individually probably have subtly different ways of interpreting the information. For us to be able to bypass this security control, we want the redirect_uri checker on the AppleID server to think icloud.com, and other systems to think something else. URLs, web addresses are the perfect conduit for this.
Messing with the embed in situ in the iCloud page with Chrome Devtools, I found that a redirect_uri of ‘https://abc@www.icloud.com’ would pass just fine, despite it being a really weird way of saying the same thing.
The next part of the puzzle is how do we get the iCloud login page into our page? Consult this reference on embed control:
- X-Frame-Options: DENY
Prevents any kind of embedding
pros: ancient, everyone supports it
cons: the kids will laugh at you; if you want only some embedding, you need some complicated and unreliable logic - X-Frame-Options: ALLOW-FROM http://example.com
Only allows embedding from a specific place
pros: A really good idea from a security perspective
cons: was literally only supported by Firefox and Internet Explorer for a short time so using it will probably make you less secure - Content-Security-Policy: frame-ancestors
Only allows embedding from specific place(s)
pros: new and cool, there are probably TikToks about how to use it; prevents embeds-in-embeds bypassing your controls
cons: probably very old browsers will ignore it
If you check Chrome DevTools’s ‘network’ panel, you will find the AppleID signon page uses both X-Frame-Options: ALLOW-FROM (which essentially does nothing), and Content-Security-Policy: frame-ancestors.
Here’s a cut-down version of what the Content-Security-Policy header looks like when ‘redirect_uri’ is set to the default “https://www.icloud.com/”
This directs the browser to only allow embeds in iCloud. Next, what about our weirder redirect_uri, https://abc@icloud.com?
Very interesting! Now, humans are absolute fiends for context-clues. Human language is all about throwing a bunch of junk together and having it all picked up in context, but computers have a beautiful, childlike innocence toward them. Thus, I can set redirect_uri to ‘https://mywebsite.com;@icloud.com/’, then, the AppleID server continues to think all is well, but sends:
This is because the ‘URI’ language that’s used to express web addresses is contextually different to the language used to express Content Security Policies. ‘https://mywebsite.com;@www.icloud.com’ is a totally valid URL, meaning the same as ‘https://www.icloud.com’ but to Content-Security-Policy, the same statement means ‘https://mywebsite.com’ and then some extra garbage which gets ignored after the ‘;’.
Using this, we can embed the Apple ID login page in our own page. However, not everything is quite as it seems. If you fail to be able to embed a page in chrome, you get this cute lil guy:
idmsa apple
Here You Will Find The “idmsa apple” Links Which Are The Tops That Can Takes You In The Official Login Portals. You Have To Enter Your Login Details In The Required Fields Without Any Mistakes.
what is idmsa? – Apple Community
Apple Footer. This site contains user submitted content, comments and opinions and is for informational purposes only. Apple may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Apple can therefore provide no guarantee as to the …
Is https://idmsa.apple.com a legitimate A… – Apple Community
Therefore I started a google search and found a link starting https://idmsa.apple.com. The site looked normal, perhaps a little minimalistic but ok and the little lock in the adress field was green. So I typed in my apple id and the password and imediately my phone asked for confirmation. I confirmed and received the number key and typed it in …
What is “idmsa” in link to this support s… – Apple Community
idmsa is an Apple subdomain. Its just what they call their login validation subdomain within the Apple servers. It has absolutely nothing to do with the Polish website people. Its fine, and secure. Its an internal thing only. More Less. Jul 21, 2015 2:29 PM
Got an email from contact.idmsa@apple.com. – Apple Community
Question: Q: Got an email from contact.idmsa@apple.com. More Less. Apple Footer. This site contains user submitted content, comments and opinions and is for informational purposes only. Apple may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not …
https://idmsa.apple.com/IDMSWebAuth/signi… – Apple Community
Apple Footer. This site contains user submitted content, comments and opinions and is for informational purposes only. Apple may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Apple can therefore provide no guarantee as to the …
Manage your Apple ID
Your Apple ID is the account you use for all Apple services.
idmsa.apple.com Password Manager SSO Single Sign ON
The SAASPASS . idmsa.apple.com password manager comes with a number of features:Autofill & Autologin on your computer with the browser extension from the web portal; Autofill & Autologin on your computer with the browser extension from the SSO Client; Autofill & Autologin within the mobile app
are you idmsa.apple. — 1Password Support Community
Here is the explanation of what is happening, followed by a solution. When you set up sync to iCloud, you were asked to log in to iCloud with your AppleID. In return Apple provided 1Password with a “token” so it can continue to log in and sync your 1Password data without asking you to log in each time.
idmsa.apple.com | Apple Developer Forums
idmsa.apple.com . You’re now watching this thread and will receive emails when there’s activity. Click again to stop watching or visit your profile to manage your watched threads. You’ve stopped watching this thread and will not receive emails when there’s activity. Click again to start watching.
iCloud
Sign in to iCloud to access your photos, videos, documents, notes, contacts, and more. Use your Apple ID or create a new account to start using Apple services.
Conclusion:
We Hope That You Have Successfully Accessed The “idmsa apple”. If Yes Then You Can Share idmsa apple Page And Make Bookmark For Further Easy Login.