Original source (on modern site) | Article images: [1] [2] [3]
One of the latest attacks on iPhone sees malicious parties abuse the Apple ID password reset system to inundate users with iOS prompts to take over their accounts. Here's how you can protect against iPhone password reset attacks (often called "MFA bombing"). We've recently heard about Apple users being targeted with MFA bombing (also called MFA fatigue or push bombing). It's not a new attack, but it can be a convincing scam as it pushes official iOS password reset prompts to victims. As detailed by Krebs on Security (via Parth Patel), attackers abusing this vulnerability appear to be doing so through an Apple user's phone number which can bomb your iPhone and other Apple devices with 100+ MFA (multi-factor authentication) system prompts to reset your Apple ID password. Update 4/21/24: We haven't seen more "bombing" cases of this attack since Apple pushed a fix at the end of March. However, a 9to5Mac teammate and I both saw the password attack this weekend on our Apple devices. In my case, I got the password reset prompt on my iPhone and my Mac. Fortunately, it was just one prompt on each device so they were quick to decline. Meanwhile, my colleague Bradley got five. Stay vigilant and safe out there! Update 3/28/24 2:40 pm PT: 9to5Mac has heard from an Apple spokesperson about this issue. The company knows about the few recent cases of these phishing attacks and Apple has taken action to solve the problem. As noted in Krebs on Security's article, it appears there is a rate limit problem with the Apple ID password reset system. What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven't even been acted on by the user? Could this be the result of a bug in Apple's systems? Hopefully, Apple is working on a fix so malicious parties can't abuse this system. But unfortunately, the password reset scam has been highlighted by users for at least two years (likely more). One recent victim shared that a senior engineer at Apple advised him to turn on the Recovery Key feature for his Apple ID to stop the password reset notifications. However, in further testing, that was not the case, and Krebs on Security verified Apple Recovery Key does not prevent reset password prompts. Related: Images by 9to5Mac FTC: We use income earning auto affiliate links. More.How to protect against iPhone password reset attacks
More details