Going All In on MobileMe
A group of researchers from security firm SensePost just revealed a hack of Apple’s MobileMe service. Rather than demonstrating a weakness in the service, the feat is a model of the sheer doggedness on the part of some hackers.
The three researchers–Haroon Meer, Nick Arvanitis and Marco Slaviero–wanted to find a way to break into the service and attack other users. Here are the steps that they took:
1. Find a person with a MobileMe account who is not careful with their data
The researchers identified a person with a MobileMe account that gave a secondary e-mail for their password reset. By guessing or knowing the person’s me.com e-mail address and finding the person’s data of birth, they could have a password reset e-mail sent to another e-mail address.
2. Intercept the e-mail
The researchers figured out that the e-mail was going to be sent to a Hotmail account. When they checked that account, they found that it has been suspended because of lack of use. They re-registered the account and gained access to the MobileMe password reset message.
3. Reconfigure MobileMe
Using the reset link, they gained access to the victim’s MobileMe account. They then reconfigured it, adding their own iPhone to the account before returning the log-in credentials to the original password. Finally, they change the name of their iPhone to a JavaScript command, so that it executes every time the victim logs into MobileMe.
4. Full access
The researchers then had access to the other person’s account.
Like Sarah Palin, users that use simple password recovery clues or allow too much information to be displayed in their online profiles could be vulnerable to attack. But the MobileMe specific issues–such as the ability to send Javascript code as a Phone name- have now been fixed, according to the researchers.
Keep Reading
Most Popular
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
ChatGPT is going to change education, not destroy it
The narrative around cheating students doesn’t tell the whole story. Meet the teachers who think generative AI could actually make learning better.
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.