Security

Amazon and Apple Aid and Abet Digital Drive-By

Late last week, Wired reporter Matthew Honan's digital life was shaken like a squirrel in the mouth of pit bull. With the unwitting help of Apple and Amazon, a group of hackers gained access to Honan's online identity and proceeded to have their way with it.

Honan wrote a long account of his ordeal for Wired, which has since boomeranged around the InterWebs:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

Scary? You bet. And the hackers couldn't have done it without the massive and total failure of both Apple and Amazon to safeguard their customers' data.

A few hours after Honan blogged about his virtual buggering on his Tumblr page, one of the hackers -- a guy calling himself "Phobia," from a group called Clan Vv3 -- got in touch with him and told him how they did it.

It started with Honan's Twitter account, which linked to his personal website, where Phobia found Honan's Gmail address. Using Google's account recovery page, Phobia gleaned Honan's alternate email, which was an Apple @me address. As Honan wrote:

Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple's tech support issue him the keys to my account.

Phobia got Honan's billing address via a Whois search on Honan's domain, then used a bit of social engineering to get Amazon's tech support to provide him with the last four digits of Honan's credit card number. (I won't get into all the nitty-gritty; Honan does a fine job summarizing it himself.)

Once Phobia and friends gained access to Honan's Apple account, it was game over. They could do whatever they wanted to him -- and they did, proceeding to wipe out every photo Honan had ever taken of his two-year-old daughter, to name just one example.

Why did they do this to Honan? Because they coveted his Twitter handle, @mat. That was all it took.

To prove it wasn't an isolated failure caused by some clueless support tech, other Wired reporters duplicated the hack twice on other accounts using the same techniques (but without causing any damage, obviously).

After this story went viral, Amazon quietly closed the loophole the hackers used to make a hash out of Honan's life, forbidding users from adding credit cards or changing passwords over the phone. Apple suspended its practice of allowing password resets over the phone pending further investigations into the hack. The fact that these two companies -- normally arrogant beyond belief and impervious to most criticism, especially when it comes from journalists -- moved so quickly tells you just how serious a breach this was.

Honan cops to some culpability in his own demise: He had failed to maintain a local backup of his data, and he'd been perhaps a little too laissez faire in how he had linked all of his accounts -- for example, using the same email prefix for everything. As for all you out there in Cringeville clucking your tongues and saying "tsk tsk," admit it; you've made similar mistakes in your life, at least once.

Honan also notes that had he turned on two-factor authentication for his Gmail account, forcing would-be hackers to enter a PIN sent via text message to Honan's phone, Phobia and pals would have been stopped in their tracks.

I must admit to a grudging admiration for some of the actions of Anonymous and its various offshoots, which combine an arch sense of humor with anticorporate vandalism. In many cases, Anonymous's victims (like HBGary Federal or Sony) kind of had it coming. But this was the hacking equivalent of a drive-by shooting. Honan did nothing to deserve this.

InfoWorld's editorial standards preclude me from employing the terms I would typically use to describe Honan's tormentors, who are probably still in high school and/or living in their parents' basements. Anyone who criticizes them publicly of course puts a big bull's-eye on their back, despite the fact that in executing the Honan hack the "Clan" violated its own rules of conduct. Still, I would derive not a small amount of pleasure watching these juvenile delinquents doing a perp walk on the nightly news. I have to imagine Honan wouldn't mind so much either.

And if you haven't unlinked your accounts, mixed up your email prefixes, and adopted two-factor authentication yet, now might be a good time.

Who's most at fault here: Apple/Amazon, Honan, or the hackers? Post your thoughts below or email me: cringe@infoworld.com.

This article, "Amazon and Apple aid and abet digital drive-by," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.

Subscribe to the Security Watch Newsletter

Comments