hack


'hack' Articles

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password. As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app. Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text. I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password. The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible. As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a

Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person's only trusted device has gone missing. 2-factor authentication not required to access Find My iPhone and a user's list of devices. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. Y'all my MacBook been locked and hacked. Someone help me @apple @AppleSupport pic.twitter.com/BE110TMgSv— Jovan (@bunandsomesauce) September 16, 2017 The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details. It's easy to lock a Mac with a passcode in Find My iPhone if you have someone's Apple ID and password. To prevent an issue like this, Apple users should change their Apple ID passwords, enable two-factor authentication, and never use the same password twice. Products like

Developer Hacks Apple Watch to Run Game Boy Emulator

Developer Gabriel O'Flaherty-Chan recently shared a project where he managed to get a Game Boy emulator he dubbed "Giovanni" running on the second-generation Apple Watch, allowing it to play Game Boy and Game Boy Color games. According to O'Flaherty-Chan, it was a challenge finding the right balance "between framerate and performance," but he says the end result is a "surprisingly usable emulator." In GIFs shared in a blog post, the Apple Watch is displayed running Pokémon Yellow. The Giovanni emulator, named after the villain in Pokémon Yellow, was built using open source code from Gambatte, an existing iOS emulator. It uses the Digital Crown and gestures for control purposes. By allowing the user to pan on screen for directions, rotate the Digital Crown for up and down, and tap the screen for A, I was able to eliminate buttons until I was left with Select, Start, and B. Touching the screen for movement isn't a great interaction, but being able to use the Crown worked out a lot better than originally anticipated. Scrolling through a list of options is basically what the Crown was made for, and if the framerate was even slightly higher, the interaction could almost be better than a hardware D-pad.As Ars Technica points out, Giovanni is not something you should expect to see in the App Store -- it's more of a proof of concept than anything else. Apple does not allow emulators on the App Store, and O'Flaherty-Chan himself says it is afflicted with bugs due to the "constraints of watchOS," including the lack of support for OpenGL and Metal. The Giovanni

iOS Hacker Shows Web Browser Running on Apple Watch

iOS developer Nicholas Allegra, better known by his handle "comex" within the jailbreaking community, shared a short video on Twitter that shows a web browser running on the Apple Watch. The fifteen-second clip shows Allegra tapping, panning and zooming on the Google homepage on the Apple Watch, but the functionality is limited as to be expected because of the small screen size and lack of an on-screen keyboard. "I always wanted a web browser on my wrist," tweeted Allegra, who later shared another picture of the iOS built-in dictionary running on the Apple Watch. Allegra stopped short of providing details about the hack, but a web browser running on the Apple Watch is an interesting proof-of-concept and fuels the possibility of an Apple Watch jailbreak or native apps with web browsing capabilities in the future. Apple confirmed last November that fully native Apple Watch apps will be available later this year, but it remains unclear what restrictions Apple will place on them. Apple Watch apps are currently loaded from a paired iPhone via Bluetooth as WatchKit extensions, and developers do not have access to the Apple Watch's gyroscope, accelerometer, built-in speaker, microphone or Taptic Engine. Allegra was an active member of the jailbreaking community in the early years of iOS devices, while attending Brown University in Rhode Island. Under the pseudonym "comex," he revived JailbreakMe.com in early 2011 as a one-tap jailbreaking solution for compatible iPhone, iPad and iPod touch devices at the time. He later interned at Apple in 2011 and Google in 2013.