A popular post appeared in the programmer community V2EX. User airy-canon claimed that his family’s iPhone had enabled Apple ID two-factor authentication, but was still scammed by phishing.
It is said that his family members downloaded a recipe app on the Apple Store and authorized their login with Apple ID. Then the app popped up a password input box.
According to the test of the blogger @BugOS Technology Group, the application in the trusted device pulls up the hidden WebView to access appleid.apple.com without double verification. This major vulnerability allows users to log in by scanning their faces. The app also used a fake dialogue box to cheat the password and then added the scammer’s mobile phone number to the trust number of the two-factor authentication, and directly wiped the device remotely, so that the user could not receive the deduction information and fraudulently swiped.
From the perspective of the whole principle, this method is indeed hidden and difficult to prevent. It is not clear when Apple will fix this vulnerability. The blogger @BugOS Technology Group stated that when the window for entering the Apple ID password appears on the iPhone, press the Home button or swipe up to try to exit, and those who can exit are fraudulent.
