Don’t Trust Those “Reset Password” Pop-Ups on Your Apple Devices
If you’re minding your own business on your iPhone, iPad, or Mac and suddenly receive spam pop-ups asking you to reset your Apple ID password, you’ll understandably be a little scared. The point is that it does happen and you should be careful but not panic if it happens to you.
What’s Behind the Apple ID Password Reset Attack
As Security magazine’s Krebs explained , attackers are targeting Apple users by spamming their devices with password reset requests. These pop-ups won’t go away until you close them or enable them using the Allow or Don’t Allow options. This means that in order to continue using your device, you need to keep tapping Don’t Allow .
The pop-ups themselves aren’t necessarily nefarious: it’s how Apple allows you to change your Apple ID password on an untrusted device or online. Let’s say you forgot your Apple ID password and go to Apple’s password reset website to reset it: once you enter the appropriate amount of information, Apple will send a pop-up to your trusted connected devices to approve the reset process. Once approved, you will be able to enter a new password.
However, attackers are exploiting some vulnerability in Apple’s MFA (multi-factor authentication) process to not only send these reset pop-ups to your devices, but to actually spam you with them. You can close the pop-up and get another one almost immediately. One victim had to close over 100 of these pop-ups before they finally stopped.
While we don’t know exactly how attackers spam users with pop-ups, it’s not hard to imagine how they target their victims. When you go to Apple’s password reset site, you are required to provide your Apple ID and phone number. If an attacker knows these two of your credentials, they can trigger a reset pop-up.
Of course, you don’t want to click Allow . When you do this, whoever initiates this password request will be able to change your password on your behalf. When they do this, they will be able to log into your account on their devices and block you. While it’s scary enough how easy it is to accidentally click “Allow” after so many spam emails, what’s even more alarming is that the pop-up appears on your Apple Watch too. Krebs on Security reports one victim who received a pop-up on their watch while they were sleeping: I could imagine myself accidentally clicking Allow while half asleep, just trying to close the notification.
It’s not over if you click “Don’t Allow”
Even though you can wait out the attackers and dismiss these notifications over and over again, they have other tactics. Since they have your phone number, they will call you directly, substituting their number for the Apple support number. (The incoming caller will literally display the official Apple support number.)
If you were to answer this call, the attackers would try their best to convince you that they are Apple Support, perhaps presenting certain information they have of you as “proof”. Once they trick you, they activate an SMS-based OTP (one-time password) code that Apple uses to verify your identity when logging in to an unfamiliar location. Do not share this code with anyone . Apple even includes this warning in the text it sends to you. While ideally you shouldn’t talk to attackers at all, if you’re already in this situation, know that Apple Support will never ask for this code themselves.
Unfortunately, there doesn’t seem to be any way to protect yourself from these spam pop-ups if the attackers already have your Apple ID and phone number. The only thing you need to do is change your phone number, which in this case is probably more trouble than it’s worth. ( But if you have other reasons to do it , it might be worth it.) We’ll just have to wait for Apple to fix whatever vulnerability these attackers are using to protect us. In the meantime, don’t trust anyone and never click “Allow” or “OK” when unwanted pop-ups appear.