More than four months after Tim Cook promised emailed login alerts and the reintroduction of two-factor authentication in the wake of the high-profile celebrity iCloud hacks, five Apple logins remain unprotected by the system. Hackers of NY founder Dani Grant used videos to demonstrate each of the vulnerabilities in a blog post.
Grant showed that two-factor authentication isn’t needed when using an unknown Mac to login to iMessage, iTunes, FaceTime, the App Store or Apple’s website. According to Grant, only one of the five services sent an email notification advising that an unknown device was used to log in …
FaceTime was the sole service for which Apple sent an email notification, Grant said:
It should be noted that similar messages have been sent out by Apple in the past for iMessage as well, though the same protection is not currently offered by iTunes, the App Store, and Apple’s website.
While the iCloud ‘hacks’ didn’t involve any compromise of the service itself, relying instead on a combination of phishing and easily-guessed passwords or security questions, it did draw attention to the risks to technically-naive users (especially celebrities, who are forced to choose from a limited number of security questions whose answers can be easily researched).
Apple briefly introduced two-factor authentication for iCloud.com in June of last year, before reintroducing it shortly after the scandal. But as Grant illustrates, other Apple services remain vulnerable.
Check out the rest of the video demos on Medium.