Jorge Maroto
Felix KrauseThis is a HUGE iOS security issue. Especially the last 2 years where you'd be asked for the PIN code when wearing a mask. You're not protected from this, even with 2-factor enabled.
weiran@KrauseFx FaceID has worked with masks for over a year, it’s a hole but not a huge issue and only affects those that insist on using passcodes
@weiran Doesn't work well for me 🤷♂️ and "over a year" is still a year where this was actively exploited, including a friend of mine
@KrauseFx the conditions needed to exploit this means you have to be targeted individually. It definitely sucks and Apple should put more protection around Apple ID password changes, but compared to something like the recent Safari 0-days it’s barely worth worrying about.
Michael Brown@KrauseFx it’s not
a “Huge” issue, and it also affects Android (but of course articles about Apple always sell better).
It’s the same trick people use to “shoulder surf” whilst you type your PIN at an ATM.
There is no good solution other than users being vigilant when entering their passcode.
a “Huge” issue, and it also affects Android (but of course articles about Apple always sell better).
It’s the same trick people use to “shoulder surf” whilst you type your PIN at an ATM.
There is no good solution other than users being vigilant when entering their passcode.
@mluisbrown so why doesn’t apple ask for the current password when changing the Apple ID password when the phone was unlocked using just a pin?
Matthias@mluisbrown @KrauseFx what’s the issue is how far you can get with a spoofed pin code, and that you can change the icloud password with it
@myell0w @KrauseFx that’s a good point. Apple ought to require the existing iCloud password in order to change it 👍 Although that wouldn’t prevent users having their bank accounts emptied, but it would prevent disabling Find My and locking people out of thei iCloud account.
Ironically not having a passcode at all would protect you from this as then you do need your existing password in order to change it.
Ironically not having a passcode at all would protect you from this as then you do need your existing password in order to change it.
Javi@KrauseFx it's particularly damning that Apple's features to avoid entering the passcode are so unreliable: FaceID, FaceID with mask, and unlock with Apple Watch.