If you’re minding your business on your iPhone, iPad, or Mac, and all of a sudden are spammed by pop-ups requesting that you reset your Apple ID password, you would understandably be a bit freaked out. The thing is, this is actually happening, and you should exercise caution—but not panic—if it happens to you.
What’s behind the Apple ID password reset attack
As explained by Krebs on Security, bad actors are attacking Apple users by spamming their devices with password reset requests. These pop-ups do not go away unless you dismiss or engage with them via the Allow or Don’t Allow options, which means in order to continue using your device, you need to constantly tap Don’t Allow.
The pop-ups themselves aren’t necessarily nefarious: This is how Apple allows you to change your Apple ID password on a non-trusted device, or on the web. Let’s say you forget your Apple ID password and go through Apple’s password reset website to reset it: Once you enter the appropriate amount of information, Apple will send a pop-up to your trusted, connected devices to approve the reset process. Once you approve, you can enter a new password.
What bad actors are doing, however, is exploiting some vulnerability in Apple’s MFA (multi-factor authentication) process to not only send these reset pop-ups to your devices, but to truly spam you with them. You may dismiss the pop-up only to receive another almost immediately. One victim had to dismiss over 100 of these pop-ups before they finally stopped.
While we don’t know exactly how attackers are spamming users with pop-ups, it’s not difficult to imagine how they’re targeting their victims. When you go to Apple’s password reset site, you need to present your Apple ID and your phone number. If an attacker knows these two credentials of yours, they’re free to trigger a reset pop-up.
Of course, you don’t want to hit Allow. When you do, whoever is initializing this password request will be able to change your password on your behalf. When they do, they’ll be able to log into your account on their devices and lock you out. While it’s scary enough with how easy it would be to accidentally tap Allow after being spammed so many times, it’s even more concerning that the pop-up appears on your Apple Watch as well. Krebs on Security reports on one victim who received the pop-up on their watch while they were sleeping: I could imagine myself accidentally tapping Allow if half-asleep, just trying to dismiss the notification.
It’s not over if you hit “Don’t Allow”
Even if you’re able to wait out attackers and dismiss these notifications over and over again, they have another tactic at play. Since they have your phone number, they’ll call you directly, spoofing their number as Apple Support. (It will literally show Apple Support’s official number as the incoming caller.)
If you were to answer this call, attackers would try their best to convince you they were Apple Support, perhaps presenting certain information of yours that they have as “proof.” Once they trick you, they’ll trigger an SMS-based OTP (one-time password) code, which Apple uses to prove your identity when logging in somewhere unfamiliar. Don’t share this code with anyone. Apple even includes that warning in the text it sends to you. While ideally, you wouldn’t be talking to the attackers in the first place, if you’re already in this situation, know that Apple Support would never ask for this code themselves.
Unfortunately, it doesn’t seem like there’s any way to protect yourself from these spam pop-ups if attackers already have your Apple ID and phone number. The only thing to do is to change your phone number, which is probably more of a hassle than it’s worth in this case. (But if you have other reasons to do it, it might be worth it.) We’ll just need to wait for Apple to fix whatever vulnerability these bad actors are exploiting to protect us. In the meantime, trust no one, and never tap Allow or OK on unsolicited pop-ups.
