Security

Apple: two-step verification for Apple IDs will require app-specific passwords starting tomorrow

Jeff Benjamin ∙ Updated October 13, 2018

If you have two-step verification enabled and you're currently signed in to a third-party app using your Apple ID password, you'll need to adjust to a new change starting tomorrow. For security purposes, Apple is introducing app-specific passwords to access iCloud data using third-party apps.

Apple will allow users to generate these app-specific passwords via the Password & Security section of its Apple ID website. Once there, you'll simply need to click Generate App-Specific Password to create a password for the third-party app that you wish to grant access to your iCloud data.

AT&T says customer info accessed in insider data breach

Cody Lee ∙ Updated March 20, 2018

AT&T confirmed on Monday that it suffered a data breach in August, carried out by one of its own employees. In a letter to Vermont's attorney general, officials for the carrier said a former staffer accessed customer account information, including Social Security and driver's license numbers.

Additionally, the company notes that the insider viewed Customer Proprietary Network Information (or CPNI), which includes metadata such as time, duration and destination of phone calls. It would not identify, however, how many of its customer accounts were affected by the breach.

Apple releases tool to check the Activation Lock status of iOS devices

Sébastien Page ∙ Updated May 26, 2023

Apple recently released a tool that lets anyone check the Activation Lock status of iOS devices. Introduced along iOS 7, Activation Lock is a security feature that prevents anyone from erasing or activating your iOS device without entering your Apple ID and password first. The feature must be disabled before a device is passed or sold to another person. Failure to do so renders the device unusable for the new owner.

With the release of this new tool, Apple wants to make the process of checking for Activation Lock easier, and prevent people from buying a device that might have been locked because it was lost, stolen, or simply because the previous owner forgot remove the device from his account.

Meet Xsser mRAT, Chinese trojan that steals treasure trove of info from jailbroken iOS devices

Christian Zibreg ∙ Updated April 18, 2016

There's a new trojan in town, one that attacks jailbroken iPhone, iPod touch and iPad devices.

As discovered by Lacoon, the malicious software dubbed Xsser mRAT uses social engineering to steal valuable data from jailbroken devices by fooling unsuspecting users to tap on an install link in phishing messages from unknown senders.

Created by Chinese hackers, it can extract a vast range of personal information including your iOS address book, SMS messages, call logs, GSM identities, your approximate geographical location (as determined by the cell tower ID), on-device pictures, as well as passwords and other authentication data in the iOS keychains used by your Apple ID, mail accounts and other services.

Apple issues update to patch ‘Shellshock’ Bash bug in OS X

Cody Lee ∙ September 29, 2014

Apple on Monday delivered the promised update to patch the 'Shellshock' Bash bug in OS X. You can download the update manually here, otherwise it should be popping up in the Updates tab of the Mac App Store shortly.

The security flaw was uncovered by security researchers last week and sent much of the Internet into a panic. Affecting the bash command shell in UNIX, the exploit allows for hackers to remotely execute malicious code.

iOS 8’s predictive QuickType keyboard found to suggest parts of your passwords [updated]

Christian Zibreg ∙ September 29, 2014

QuickType, Apple's new predictive keyboard featured on the iPhone, iPod touch and iPad devices running iOS 8, is reportedly plagued with a potentially dangerous oversight where the software would suggest parts of your passwords that you previously used on websites, as first reported by French-language blog iGen.fr [Google Translate].

A new thread on Apple's Support Communities website includes a note by one user who reported the keyboard offering “OrangeJuice” as a suggestion each time he would type in “AppleUser” because QuickType remembered the “OrangeJuice!2” password he previously used to log in to Outlook Web App.

Apple readying a fix for Bash vulnerability, ‘vast majority’ of Mac users unaffected

Christian Zibreg ∙ September 26, 2014

A fix for a new kind of exploit recently discovered in the Bash command shell used in multiple versions of Unix is underway, Apple confirmed Friday, adding that the “vast majority” of Mac users are unaffected because OS X is "safe by default" from the so-called 'Shell Shock' attacks.

"The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities," an Apple spokesperson said in a statement quoted by The Verge.

The vulnerability was documented and publicized Thursday by security researchers at RedHat and gained prominences after security expert Robert Graham called it “as big as the Heartbleed bug,” referring to a nasty vulnerability discovered earlier in the year in the OpenSSL software commonly used by nearly two-thirds of servers powering the Internet.

Researcher warned Apple of iCloud vulnerability six months before nude celeb pics leaked

Christian Zibreg ∙ September 25, 2014

A string of bad news for Apple continues with a revelation published Thursday on The Daily Dot that London-based computer security expert Ibrahim Balic gave Apple a heads-up about a vulnerability he had discovered in iCloud, but the company discounted the severity of the issue and ignore the problem for six months.

As you know, the issue blew up in a major way, becoming the topic of late-night shows, after several celebrities with weak Apple ID passwords saw their nude photographs hijacked and posted on the web.

New Unix command line exploit makes Macs vulnerable to attacks

Christian Zibreg ∙ September 25, 2014

A new exploit in the Bash command shell found in many versions of Unix, including Apple's OS X desktop operating system, makes Mac computers vulnerable to so-called 'Shell Shock' attacks, security researchers at RedHat discovered Thursday.

Though the exploit lets attackers run malicious scripts remotely, most people are not at risk unless they've manually allowed SSH access from remote connections or a web server running server side scripting.

Here's how you can check if you're vulnerable and what you can do in order to avoid 'Shell Shock' attacks on your system.

Parental Controls For iOS restricts the amount of time your child spends on your device

Alihassan Mahdi ∙ September 19, 2014

One of the features that iOS 7 lacks is the ability to control the amount of time your child spends using your device. Parental Controls for iOS is a new jailbreak tweak that aims to bring this highly anticipated feature to jailbroken iOS 7 devices.

Developed by Ge0rges, the tweak allows you to limit the amount of time a person can use your iOS device. Once the time has ended, the user will be automatically be locked out of your device and a pop-up will be displayed with three buttons: 'Emergency Call', 'Add One Hour' where a person will be allowed to use the device for an extra hour once the parental passcode has been entered and an 'Ok' button. The only way your child can gain access to your device once the time limit has been reached is when you choose to add an extra hour.

Safari 7.1 for Mavericks is out with encrypted Yahoo searches, DuckGoGo and more

Christian Zibreg ∙ Updated November 19, 2018

Apple on Thursday released an update to its desktop Safari browser for Macs running OS X Mavericks which contains improvements to compatibility and security while introducing a pair of new options for strengthening your privacy when searching.

The first such feature turns on SSL encryption for all Yahoo searches conducted from Safari's search field. As a result, no one can eavesdrop on what you're searching for online.

The other adds DuckGoGo, a search engine that does not track you (Google won't like this) as a built-in option in the search field. Note that Safari in iOS 8 and OS X 10.10 Yosemite already includes DuckGoGo as an option.

Safari 7.1 has arrived on the heels of yesterday's OS X Mavericks 10.9.5 update which contains Safari 7.0.6 and improves the stability, compatibility and security of your Mac.

Apple launches new privacy-focused site with government request figures and more

Cody Lee ∙ September 17, 2014

Apple this evening launched a new privacy site in an effort to increase transparency on how it protects user data, and to educate users on how they can better protect themselves. Additionally, Tim Cook has posted an open letter to Apple Customers detailing the various sections of the new site, as well as Apple's stance on user privacy.

The move follows recent bad publicity for Apple, in which its laxed iCloud security measures were blamed for the hacking of high profile celebrity accounts, which resulted in a slew of nude photos being leaked. The company maintains that its servers were never breached, but Tim Cook promised to double down on security anyway.