• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

CISA released Thorium platform to support malware and forensic analysis

 | 

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 

Dahua Camera flaws allow remote hacking. Update firmware now

 | 

Researchers released a decryptor for the FunkSec ransomware

 | 

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Security
  • iCloud two-factor protection, security flaw or deliberate choice?

iCloud two-factor protection, security flaw or deliberate choice?

Pierluigi Paganini June 02, 2013

iCloud could not properly protect the user’s data despite the implementation of a two-factor protection.

Millions of users access to the iCloud to store their data such as photos, music and documents and Apple has tried recently to improve their security introducing in March a two factor authentication system … Do users really know the security mechanisms that protect their data?

Last week I wrote a post on benefits and limits of a two-factor authentication process, the reflections made rise serious questions on possible incorrect implementations of security mechanism.

I started remarking to be deeply opposed to the storage of my information on a system of which I know very little as it can be any Cloud architecture managed by an enterprise.

iCloud 2FA

 

The two-factor authentication has been introduced by Apple to preserve the use of user’s Apple Id for fraudulent purchases but it seems not sufficient to protect user’s files stored in the cloud.

The discovery has been done by researchers at ElcomSoft, a Russian company specialized in the providing of forensics software for cracking passwords and system auditing, in a post recently issued.

In case an attacker is able to access to user’s account credentials despite the Apple adopted a  two-factor verification he is anyway able to access data stored in user’s iCloud account.

The ElcomSoft CEO Vladimir Katalov has written in the post:

“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” “In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.”

“In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past (see Norwegian Teenagers Hacking iCloud Accounts) and will be exploited in the future.”

“To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn’t really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account,”

Although Apple hasn’t introduced the two-factor authentication to reinforce security of data stored in the iCloud architecture the flaw has puzzled researchers because the security mechanism not protect user’s data.

The security mechanism prevents in fact attackers from resetting a user’s iCloud password,but it doesn’t impede them from accessing data stored in an account. Apple two-factor authentication allows an attacker to restore backed up iPhone or iPad data to a new device or delete them permanently.

 iCloud backup

 

Resuming the 2FA solution added by apple doesn’t provide extra security for data, on the contrary it adds a wrong perception of security to the users which could have serious consequences.

Probably the flaw found in the Apple implementation of 2FA in not casual but it is the compromise between level of security ensured to the users and usability of the solution.

Other 2FA solutions such as the ones implemented by Microsoft or Google request customers to come up with a “second piece of an ID when attempting to access their services from a new device” to prevent anyone stealing user’s credentials.

“The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage.”

The CEO of Duo Security, a firm specialized in providing of two-factor authentication services, commented the technical choice with following statement:

“It’s a worthwhile discovery,” “It’s good for people to know and understand that their account is not 100-percent protected by this new feature that rolled out. But I don’t think it’s an unaddressable limitation, and to be fair to Apple, I don’t know if this was ever intended to protect this model.”

Pierluigi Paganini

(Security Affairs – Apple iCloud, 2FA)


facebook linkedin twitter

2FA Apple Cloud iCloud security two-factor authentication

you might also like

Pierluigi Paganini August 01, 2025
CISA released Thorium platform to support malware and forensic analysis
Read more
Pierluigi Paganini July 31, 2025
Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    CISA released Thorium platform to support malware and forensic analysis

    Cyber Crime / August 01, 2025

    Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

    APT / July 31, 2025

    Dahua Camera flaws allow remote hacking. Update firmware now

    Hacking / July 31, 2025

    Researchers released a decryptor for the FunkSec ransomware

    Malware / July 31, 2025

    Apple fixed a zero-day exploited in attacks against Google Chrome users

    Security / July 30, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT