There's an important omission in the article and the top comments here don't mention it either: Accidentally tapping "Allow" does not allow the attacker to change the password on their web browser. When you tap Allow on your device, you are shown the 6-digit pin on your device and you can use it to change your password on your device. The final part of the attack is that the attacker calls you using a spoofed Apple phone number and asks you to read out the 6-digit pin to them. If you choose to give out the 6-digit pin to the attacker over an incoming phone call, then they can use it in their browser to reset your password.
It's surprising that Krebs chose to omit this little detail in the security blog and instead seemed to confirm that someone could completely give away access to their account while sleeping.
He describes this in the very first paragraph of the article:
>Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.
That seems to be an entirely different point. Krebs suggests repeatedly that all you need to do to get hacked is click "Allow" in the push notification. This is demonstrably false.
"Assuming the user manages not to fat-finger the wrong button" means "assuming the user clicks Don't Allow". They call on the phone to try and convince the user to say Allow next time.
Of course that's kinda BS too, because the only time "Allow" gives you a six digit code is if you successfully authenticate your apple ID on a new device. If you get the reset password dialog, the result of Allow is not a six digit code, it just allows you to reset the password. Yourself. On your device.
Are you reading the second half of the sentence I posted? Sorry but I'm not understanding where you are coming from - Krebbs lays out clearly in the first paragraph how the attack works and you seem to be deliberately ignoring that.
> Ken didn’t know it when all this was happening (and it’s not at all obvious from the Apple prompts), but clicking “Allow” would not have allowed the attackers to change Ken’s password. Rather, clicking “Allow” displays a six digit PIN that must be entered on Ken’s device — allowing Ken to change his password. It appears that these rapid password reset prompts are being used to make a subsequent inbound phone call spoofing Apple more believable.
Anyone who edits news articles, blog posts or such without clearly disclosing the edit immediately loses my trust. It's a huge problem these days where everything is online instead of in print, but most people do not want to take responsibility for sloppy research or misleading reporting. And that's part of the reason why there is so much misinformation, it sometimes comes from trusted sources too, not just anonymous social media users.
However, in this case, the edit is disclosed at the bottom of the article. Do you think this isn't sufficient? Does the edit disclosure need to contain a link to a diff of the changes or does it need to be at the top?
If you look into the edits in Wayback Machine, you see that previously, the "Ken's experience" was:
"Unnerved by the idea that he could have rolled over on his watch while sleeping and allowed criminals to take over his Apple account, Ken said ..."
Once the article was updated, the original sentence implying that criminals could take over your account while you are sleeping was completely rewritten to say the 180 degree opposite - completely reversing what the initial sensational content said. In reality it is not possible to accidentally hand over your account to attackers by accidentally tapping Allow on your watch in your sleep.
The update disclosure only says: "Added perspective on Ken’s experience."
Fair, and good to know, but I could still easily see reasonable people (not just 80 yr olds with their Obamaphone) falling for this.
And even if not, there's a severe annoyance factor here that could be simply removed by Apple rate limiting these requests. Why can they send you hundreds of these in a short time?
It's surprising that Krebs chose to omit this little detail in the security blog and instead seemed to confirm that someone could completely give away access to their account while sleeping.