Apple Aware of iCloud Login Harvesting in China, Launches Browser Security Guide

Earlier this week, web censorship blog Great Fire suggested that hackers aligned with Chinese authorities were using man-in-the-middle attacks in order to harvest Apple ID information from Chinese users that visited Apple's iCloud.com website.

In a newly released support document (via The Wall Street Journal), Apple has confirmed that it is aware of the "intermittent organized network attacks" on iCloud users, but says that its own servers have not been compromised.

Apple is deeply committed to protecting our customers' privacy and security. We're aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.

Apple's support document goes on to stress the importance of digital certificates, suggesting that users who see an invalid certificate warning in their browser while visiting iCloud.com should not proceed. The company also outlines how users can verify that their browser is connected to iCloud.com and not a third-party man-in-the-middle website.

safariicloudverified
Apple asks users to make sure that a green lock icon is visible in Safari and that the message "Safari is using an encrypted connection to www.icloud.com" is displayed when the lock icon is clicked. Apple also has verification instructions for both Chrome and Firefox.

Unfortunately, many of the victims falling prey to the fake iCloud sites are not using secure browsers that issue warnings when fake websites are visited. According to Great Fire, many Chinese users access the Internet through popular Chinese browser Qihoo, which does not let users know that a fake site is harvesting their information.

The attack works by redirecting Chinese users attempting to access iCloud.com to a fake website that resembles the iCloud website. Users that log into the fake site provide attackers with logins and passwords that can be used to access contacts, messages, photos, and documents stored within iCloud.

Though Great Fire has suggested that Chinese authorities may be involved in the attacks, a spokeswoman for China's Foreign Ministry (via CNBC) said that Beijing was "resolutely opposed" to hacking.

Chinese users should switch to a trusted browser like Firefox or Chrome to avoid falling prey to the fake iCloud.com website, or use a VPN to bypass the redirection and log in directly to iCloud.com. Two-factor authentication should also be turned on as it can prevent unauthorized users from logging into an iCloud account even when a username and password are obtained.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Popular Stories

ios 17 iphone 15 pro status bar sos crop feature2

iPhone SOS: Verizon Experiences Major Outage Across the U.S. [Update: Fixed]

Monday September 30, 2024 9:03 am PDT by
Verizon is currently experiencing a major outage that is affecting many customers across the U.S., including iPhone users. Affected users may be unable to send or receive phone calls, send or receive text messages, or use cellular data. As a result of the network being down, many affected iPhone users are seeing "SOS" displayed in their device's status bar. In a support document, Apple says...
15 New Things Your iPhone Can Do in iOS 18

15 New Things Your iPhone Can Do in iOS 18.1

Friday September 27, 2024 6:14 am PDT by
Apple is set to release iOS 18.1 in October, bringing the first set of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update marks a significant step forward in Apple's AI integration, offering a new Siri contextually-aware experience and a range of additional capabilities powered by on-device machine learning and large language models. There are a couple of handy new...
m3 mbp space black

What to Expect From an Apple Event in October: iPad Mini 7, Redesigned Mac Mini, and More

Friday September 27, 2024 11:47 am PDT by
Apple will likely hold another event in October this year to announce new Macs and iPads. If so, it would be the fourth time in the last five years that Apple has held an event in October. Last year, Apple held a virtual event on Monday, October 30 to announce new MacBook Pro and iMac models with the M3 series of chips. Subscribe to the MacRumors YouTube channel for more videos. Below, we...
airpods pro 2 gradient

AirPods Pro 3 Expected Next Year: Here's What We Know

Tuesday October 1, 2024 5:47 am PDT by
Despite being released over two years ago, Apple's AirPods Pro 2 continue to dominate the wireless earbud market. However, with the AirPods Pro 3 expected to launch sometime in 2025, anyone thinking of buying Apple's premium earbuds may be wondering if the next generation is worth holding out for. Apart from their audio and noise-canceling performance, which are generally regarded as...
iphone 16 pro colors 1

iPhone 16 Pro Max Charging Speed Test Proves 45W Rumor Was Wrong

Monday September 30, 2024 8:16 am PDT by
While a Chinese regulatory filing showed that all iPhone 16 models are rated for up to 45W charging speeds, tests have since shown that the devices do not actually charge this fast. However, there are still improvements. ChargerLAB last week tested the iPhone 16 Pro Max with a variety of Apple and third-party chargers, and it found that the device achieved maximum sustained charging speeds...
iPhone SE 4 Thumb 2

Apple's Next New iPhone to Debut in the Spring: What to Expect

Tuesday October 1, 2024 3:14 am PDT by
Apple's budget-friendly iPhone SE is set for a major overhaul with a fourth generation model expected to launch in spring 2025. The upcoming model will mark a significant departure from its predecessors, adopting several features from higher-end iPhones while maintaining its position as the most affordable new model in Apple's lineup. According to recent reports, the iPhone SE 4 will sport a ...
apple silicon mac lineup wwdc 2022 feature purple

MacBook Pro, iMac, and Redesigned Mac Mini With M4 Chips on Track to Launch 'This Year'

Tuesday October 1, 2024 1:57 pm PDT by
Apple plans to release new MacBook Pro, iMac, and Mac mini models with the M4 series of chips "this year," according to Bloomberg's Mark Gurman. Gurman initially said these Macs would likely be announced during a virtual event this October, but he has been more vague about the timing lately, with wording such as "in the coming weeks" and now merely "this year." In any case, it is clear that...
iPad iOS 16 WP Display Feature eric edit

Apple May Launch First iPad-Like Smart Home Accessory Next Year

Monday September 30, 2024 2:55 am PDT by
Apple could release an iPad-like smart home accessory based on its homeOS platform as early as next year, according to Bloomberg's Mark Gurman. Writing in his latest Power On newsletter, Gurman reports that the display will run Apple apps like Calendar, Notes, and Home, and will feature an interface "optimized for controlling home appliances and quickly seeing information." Apple's...

Top Rated Comments

Bahroo Avatar
130 months ago
I love how half-assed Apple security is.

----------



So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?


Are you on drugs bro? this isn't Apple's fault at all, its people in China , they made a fake iCloud website that looks just like the real one and if your using a 3rd party browser, you get routed to this fake website, and its very easy to spot that there is no SSL protection/no green box next to the website link, this is common sense, and isn't Apple's fault in any way at all. This is not a issue if you use reliable browsers like Firefox, Chrome, IE, etc
Score: 14 Votes (Like | Disagree)
Deelron Avatar
130 months ago

So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?

I'm fairly sure your boring old bank would fail if their direct access to the Internet was compromised.
Score: 9 Votes (Like | Disagree)
Small White Car Avatar
130 months ago

So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?
Your boring old bank is open to EXACTLY this kind of attack in EXACTLY the same ways.

Furthermore, if I called your bank and asked them what to do about it they'd give the EXACT same advice Mac Rumors has given here.

EDIT: And before you come back and tell me about how your bank requires a picture of a parrot or a soccer ball or something, ask yourself if you think the people who don't know what an SSL lock looks like will be at all deterred from signing in when their favorite kind of bird doesn't show up this one time.
Score: 8 Votes (Like | Disagree)
iphonedude2008 Avatar
130 months ago
I'm fairly sure your boring old bank would fail if their direct access to the Internet was compromised.

This. Someone here gets it.
Score: 7 Votes (Like | Disagree)
iphonedude2008 Avatar
130 months ago
I love how half-assed Apple security is.

----------



So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?

He's saying its not apples fault because this is a phishing scam. The browser goes to a scam site instead of apple's. All they can do is tell user to check for the correct certificate, reset passwords, and enable 2 factor.
Score: 6 Votes (Like | Disagree)
Deelron Avatar
130 months ago
Though Great Fire has suggested that Chinese authorities may be involved in the attacks, a spokeswoman for China's Foreign Ministry (via CNBC) said that Beijing was "resolutely opposed" to hacking.

You keep using that word, I do not think it means what you think it means.
Score: 6 Votes (Like | Disagree)