Several Apple (NASDAQ: AAPL) users are being targeted in a new phishing scam that bombards them with password reset prompts, making it difficult to use their devices.
The scam exploits a weakness in Apple’s MFA (multi-factor authentication) system, allowing attackers to send a massive amount of password reset requests in a short period, as reported by KrebsOnSecurity on March 26.
This overwhelms users with notifications on their iPhones, iPads, and Apple Watches, urging them to “Allow” or “Don’t Allow” the reset.
Picks for you
Parth Patel, an entrepreneur exploring conversational AI, revealed on X (formerly Twitter) that he was targeted in a recent phishing attempt.
“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”
How the phishing scam works
If a user accidentally clicks “Allow” on one of these prompts, attackers can then gain access to their Apple account and lock them out.
The attackers may even follow up with a fake Apple support call to trick the user into revealing a one-time code used to complete the password reset.
Experts believe this scam may be exploiting a flaw in Apple’s rate-limiting system, which is supposed to prevent such a rapid influx of password reset requests.
When a user attempts to reset their password on the “iForgot” page, Apple typically sends a verification code to the phone number associated with the account.
However, researchers were able to trigger these notifications even with a recovery key enabled, suggesting the exploit bypasses current security measures.
Strategies to secure your Apple account
This attack highlights the dangers of MFA fatigue, where attackers bombard users with login requests in hopes they’ll accidentally approve one.
Here’s how to protect yourself:
- Never click on links or respond to calls from unsolicited callers claiming to be Apple support.
- Be cautious when presented with numerous password reset prompts. If unsure, wait it out and contact Apple directly.
- Consider enabling two-factor authentication on your email address associated with your Apple ID. This adds an extra layer of security in case attackers gain access to your Apple account.
Apple’s silence raises concerns
As Apple remains silent in response to requests for comment on this pressing issue, security researchers stress the urgency of addressing this potential bug to prevent further manipulation.
However, the situation is further complicated by a previous instance where Apple withheld details about significant security vulnerabilities, like those within the M-series chips and the undisclosed fixes in iOS 17.4.1.
With important questions still unanswered and uncertainty remaining, the tech community is waiting for Apple’s reply and the release of relevant information.
We’ve reached out to Apple for a comment and will update the article if we hear back from the company.