Skip to content

Security alert: Apple users targeted by this threat right now

Security alert Apple users targeted by this threat right now

Several Apple (NASDAQ: AAPL) users are being targeted in a new phishing scam that bombards them with password reset prompts, making it difficult to use their devices.

The scam exploits a weakness in Apple’s MFA (multi-factor authentication) system, allowing attackers to send a massive amount of password reset requests in a short period, as reported by KrebsOnSecurity on March 26.

This overwhelms users with notifications on their iPhones, iPads, and Apple Watches, urging them to “Allow” or “Don’t Allow” the reset.

Parth Patel, an entrepreneur exploring conversational AI, revealed on X (formerly Twitter) that he was targeted in a recent phishing attempt.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

How the phishing scam works

If a user accidentally clicks “Allow” on one of these prompts, attackers can then gain access to their Apple account and lock them out. 

The attackers may even follow up with a fake Apple support call to trick the user into revealing a one-time code used to complete the password reset.

Experts believe this scam may be exploiting a flaw in Apple’s rate-limiting system, which is supposed to prevent such a rapid influx of password reset requests. 

When a user attempts to reset their password on the “iForgot” page, Apple typically sends a verification code to the phone number associated with the account.  

However, researchers were able to trigger these notifications even with a recovery key enabled, suggesting the exploit bypasses current security measures.

Strategies to secure your Apple account

This attack highlights the dangers of MFA fatigue, where attackers bombard users with login requests in hopes they’ll accidentally approve one. 

Here’s how to protect yourself:

  • Never click on links or respond to calls from unsolicited callers claiming to be Apple support.
  • Be cautious when presented with numerous password reset prompts. If unsure, wait it out and contact Apple directly.
  • Consider enabling two-factor authentication on your email address associated with your Apple ID. This adds an extra layer of security in case attackers gain access to your Apple account.

Apple’s silence raises concerns

As Apple remains silent in response to requests for comment on this pressing issue, security researchers stress the urgency of addressing this potential bug to prevent further manipulation. 

However, the situation is further complicated by a previous instance where Apple withheld details about significant security vulnerabilities, like those within the M-series chips and the undisclosed fixes in iOS 17.4.1

With important questions still unanswered and uncertainty remaining, the tech community is waiting for Apple’s reply and the release of relevant information.

We’ve reached out to Apple for a comment and will update the article if we hear back from the company.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account?

Services

IMPORTANT NOTICE

Finbold is a news and information website. This Site may contain sponsored content, advertisements, and third-party materials, for which Finbold expressly disclaims any liability.

RISK WARNING: Cryptocurrencies are high-risk investments and you should not expect to be protected if something goes wrong. Don’t invest unless you’re prepared to lose all the money you invest. (Click here to learn more about cryptocurrency risks.)

By accessing this Site, you acknowledge that you understand these risks and that Finbold bears no responsibility for any losses, damages, or consequences resulting from your use of the Site or reliance on its content. Click here to learn more.