Apple Aware of iCloud Login Harvesting in China, Launches Browser Security Guide

Earlier this week, web censorship blog Great Fire suggested that hackers aligned with Chinese authorities were using man-in-the-middle attacks in order to harvest Apple ID information from Chinese users that visited Apple's iCloud.com website.

In a newly released support document (via The Wall Street Journal), Apple has confirmed that it is aware of the "intermittent organized network attacks" on iCloud users, but says that its own servers have not been compromised.

Apple is deeply committed to protecting our customers' privacy and security. We're aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.

Apple's support document goes on to stress the importance of digital certificates, suggesting that users who see an invalid certificate warning in their browser while visiting iCloud.com should not proceed. The company also outlines how users can verify that their browser is connected to iCloud.com and not a third-party man-in-the-middle website.

safariicloudverified
Apple asks users to make sure that a green lock icon is visible in Safari and that the message "Safari is using an encrypted connection to www.icloud.com" is displayed when the lock icon is clicked. Apple also has verification instructions for both Chrome and Firefox.

Unfortunately, many of the victims falling prey to the fake iCloud sites are not using secure browsers that issue warnings when fake websites are visited. According to Great Fire, many Chinese users access the Internet through popular Chinese browser Qihoo, which does not let users know that a fake site is harvesting their information.

The attack works by redirecting Chinese users attempting to access iCloud.com to a fake website that resembles the iCloud website. Users that log into the fake site provide attackers with logins and passwords that can be used to access contacts, messages, photos, and documents stored within iCloud.

Though Great Fire has suggested that Chinese authorities may be involved in the attacks, a spokeswoman for China's Foreign Ministry (via CNBC) said that Beijing was "resolutely opposed" to hacking.

Chinese users should switch to a trusted browser like Firefox or Chrome to avoid falling prey to the fake iCloud.com website, or use a VPN to bypass the redirection and log in directly to iCloud.com. Two-factor authentication should also be turned on as it can prevent unauthorized users from logging into an iCloud account even when a username and password are obtained.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

Bahroo Avatar
93 months ago
I love how half-assed Apple security is.

----------



So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?


Are you on drugs bro? this isn't Apple's fault at all, its people in China , they made a fake iCloud website that looks just like the real one and if your using a 3rd party browser, you get routed to this fake website, and its very easy to spot that there is no SSL protection/no green box next to the website link, this is common sense, and isn't Apple's fault in any way at all. This is not a issue if you use reliable browsers like Firefox, Chrome, IE, etc
Score: 14 Votes (Like | Disagree)
Deelron Avatar
93 months ago

So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?

I'm fairly sure your boring old bank would fail if their direct access to the Internet was compromised.
Score: 9 Votes (Like | Disagree)
Small White Car Avatar
93 months ago

So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?
Your boring old bank is open to EXACTLY this kind of attack in EXACTLY the same ways.

Furthermore, if I called your bank and asked them what to do about it they'd give the EXACT same advice Mac Rumors has given here.

EDIT: And before you come back and tell me about how your bank requires a picture of a parrot or a soccer ball or something, ask yourself if you think the people who don't know what an SSL lock looks like will be at all deterred from signing in when their favorite kind of bird doesn't show up this one time.
Score: 8 Votes (Like | Disagree)
iphonedude2008 Avatar
93 months ago
I'm fairly sure your boring old bank would fail if their direct access to the Internet was compromised.

This. Someone here gets it.
Score: 7 Votes (Like | Disagree)
iphonedude2008 Avatar
93 months ago
I love how half-assed Apple security is.

----------



So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?

He's saying its not apples fault because this is a phishing scam. The browser goes to a scam site instead of apple's. All they can do is tell user to check for the correct certificate, reset passwords, and enable 2 factor.
Score: 6 Votes (Like | Disagree)
Deelron Avatar
93 months ago
Though Great Fire has suggested that Chinese authorities may be involved in the attacks, a spokeswoman for China's Foreign Ministry (via CNBC) said that Beijing was "resolutely opposed" to hacking.

You keep using that word, I do not think it means what you think it means.
Score: 6 Votes (Like | Disagree)

Related Stories

Mac Notebook Upgrade Program

Apple Introduces New MacBook Upgrade Program for Business Partners

Monday November 29, 2021 7:38 am PST by
In association with CIT as the financing partner, Apple has launched a new Mac Upgrade Program for small businesses and Apple business partners that allow companies to easily distribute and upgrade their fleets of MacBooks at an affordable price to all of their workers. As outlined on CIT's website, shared by Max Weinbach, Apple Business Partners can distribute the 13-inch MacBook Pro,...
General cyber monday 20 sale feature

Best Cyber Monday Deals for AirPods, Apple Pencil, iMac, More

Monday November 29, 2021 4:19 am PST by
With Black Friday over, Cyber Monday 2021 is now in full swing and you can find many of the same sales as last week on Apple products like AirPods, Apple Pencil, and iPad Pro. In this article we're focusing on the best Cyber Monday discounts on Apple products like these and more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we...
2017 apple tv

Cyber Monday: Original Apple TV 4K Drops to $99.99 for Amazon Prime Members

Monday November 29, 2021 12:01 pm PST by
We've been tracking Apple product and accessory deals for Cyber Monday 2021 today, and now Woot is offering a solid discount on the previous generation 32GB Apple TV 4K. You can get this device in new condition for just $99.99 if you're an Amazon Prime member. Note that this sale will last for one day only. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
iphone holiday

Best Black Friday iPhone Deals Still Available

Friday November 26, 2021 4:58 am PST by
Cellular carriers have always offered big savings on the newest iPhone models during the holidays, and Black Friday 2021 sales have now carried over into Cyber Monday as well. Right now we're tracking notable offers on the iPhone 13 and iPhone 13 Pro devices from AT&T, Verizon, and T-Mobile. For even more savings, keep an eye on older models like iPhone SE. Note: MacRumors is an affiliate...
General cyber monday 20 sale feature 2

Best Cyber Monday Apple Accessory Deals Available Today

Monday November 29, 2021 6:41 am PST by
We started sharing deals on Apple products for Cyber Monday 2021 earlier today, and now we're tracking deals and bargains available from all of the best Apple accessory companies. Similar to Black Friday, you can expect Cyber Monday savings from Twelve South, Nomad, Belkin, Casetify, and many more. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and...
iPhone SE Cosmopolitan Clean

New iPhone SE Reportedly on Track for Release in First Quarter of 2022

Tuesday November 30, 2021 8:08 am PST by
Apple plans to release a third-generation iPhone SE in the first quarter of 2022, according to Taiwanese research firm TrendForce. If this timeframe proves to be accurate, we can expect the device to be released by the end of March. As previously rumored, TrendForce said the new iPhone SE will remain a mid-range smartphone with added support for 5G:In terms of product development, Apple is...