Is the 'change Apple ID password with stolen passcode' issue fixed in iOS 17?

[LuisNeto]

As exposed previously in many websites (for example, in this MacRumors article), when thieves get hold of your iPhone and know your Passcode, they can lock you out of your Apple ID account, because it is possible to change the iCloud account password just by knowing the Passcode.

Can anyone confirm if this has been addressed in iOS 17?

 

[Paddle1]

Nothing has changed so far.

 

[AbSoluTc]

As exposed previously in many websites (for example, in this MacRumors article), when thieves get hold of your iPhone and know your Passcode, they can lock you out of your iCloud account, because it is possible to change the iCloud account password just by knowing the Passcode.

Can anyone confirm if this has been addressed in iOS 17?

Stop using a passcode.

 

[addamas]

It’s a feature not a bug ~Apple Security Department

Because making sure that people could reset password when they forget it is more important that security…

Screenshot of response about resetting iCloud password due to exploit in Screen Time below, something similar I got for issue the OP is talking about.

Testers can cry when White Collars are leading not engineers

 

[zorinlynx]

This "issue" isn't hard to fix.

- Use a long passcode that's not easy to guess. At least 8 digits, or a passphrase.
- Use FaceID so you don't have to enter your passcode all the time.
- Don't enter your passcode when other people are watching. Hold your phone close to your chest and shield it from other eyes.

 

[LuisNeto]

This "issue" isn't hard to fix.

- Use a long passcode that's not easy to guess. At least 8 digits, or a passphrase.
- Use FaceID so you don't have to enter your passcode all the time.
- Don't enter your passcode when other people are watching. Hold your phone close to your chest and shield it from other eyes.

Why do you write "issue" with quotes, as if it isn't an issue?
It is clearly a security design flaw that had serious consequences for many people.

What you wrote are not fixes.
Using a long passcode and hiding it from other people when entering it are tips which still don't prevent the issue from happening if, for example, thieves force you to give them the iPhone and to tell them the passcode.
And your advice to use FaceID is a workaround that isn't ideal either.

 

[WarmWinterHat]

It's the same. I use a long alpha-numeric unlock code so I'm not worried about someone shoulder surfing, but Apple should still fix this. I also use a third-party password manager because I want my passwords saved the same code as everything else.

They (Apple) need to require something more than a screen pin to get into your account and make changes. Require your Apple ID password, for example, when viewing/changing anything related to your account.

 

[addamas]

Few cents: Nobody will just look over your shoulder, but record a short video of you typing password - then just matter of time to get it right out of it an then take device of the Target.

It’s a design flaw with one point of failure.

I wonder about one thing:
I heard cases where pay terminals were refusing Apple Pay to work and forced to type password - is that a fake story or this behavior is happening when for instance 2 times in row Apple Pay is not working?

 

[papbot]

Few cents: Nobody will just look over your shoulder, but record a short video of you typing password - then just matter of time to get it right out of it an then take device of the Target.

It’s a design flaw with one point of failure.

I wonder about one thing:
I heard cases where pay terminals were refusing Apple Pay to work and forced to type password - is that a fake story or this behavior is happening when for instance 2 times in row Apple Pay is not working?

Have never heard of nor encountered anything like that. Although I primarily use my Apple Watch for Apple Pay and only if I select my debit bank card as the payment source do I ever need to enter a PIN code, never a passcode or password.

 

[LuisNeto]

I wonder about one thing:
I heard cases where pay terminals were refusing Apple Pay to work and forced to type password - is that a fake story or this behavior is happening when for instance 2 times in row Apple Pay is not working?

Thank you for sharing your opinions.
But this is a different topic.

Please, let's keep this thread specific to the topic.
Thank you.

 

[papbot]

This "issue" isn't hard to fix.

- Use a long passcode that's not easy to guess. At least 8 digits, or a passphrase.
- Use FaceID so you don't have to enter your passcode all the time.
- Don't enter your passcode when other people are watching. Hold your phone close to your chest and shield it from other eyes.

Exactly. From the very beginning if someone stole your phone AND has your passcode all kinds of nefarious things can happen, nothing new there. The risk is pretty minimal with current TouchID and FaceID devices. Since their debut I’ve never had to enter my passcode in public and would only do so when I could be sure no one is standing over me. Having an Apple Watch negates the frequency of even having to pull my phone out so I have little risk of it being stolen or observed unless I get mugged. A mugging is going to harm you more than just gaining access to your phone. Being mugged and forced at gun point to enter your PIN code on an ATM machine has been a risk since ATMs debuted. Again nothing new here.

 

[sk1ski1]

Being mugged and forced at gun point to enter your PIN code on an ATM machine has been a risk since ATMs debuted. Again nothing new here.

An ATM pin is limited to just your bank account and the ATM withdrawal limit. Very limited, and the bank can quickly refund you.

A thief that has your phone and its passcode can give the thief access to all your financial accounts and permanently lock you out of your Apple ID and iCloud account.

 

[papbot]

I’m not minimizing the possible damage only that the risks, and potential are the same. Whatever you do to protect yourself in the ATM instance you would do as well with your phone. The far, far bigger, more common risk I see every day is people using their phones and paying no attention to what’s around them, even while driving. There is nothing new here, just the same risk of careless behavior. If you’re really concerned about this specific type of incident check into police statistics in your area to see if it even happens. Bottom line don’t be careless.

 

[betasp]

No and it’s not a problem. Yes, there are edge cases where this can occur but if it does it is your fault and not Apple’s.

You can’t engineer for everything, period. So why not provide some statistics on how many times of all the times an iPhone has been stolen that this has occurred? Can you cite one time?

 

[sk1ski1]

No and it’s not a problem. Yes, there are edge cases where this can occur but if it does it is your fault and not Apple’s.

You can’t engineer for everything, period. So why not provide some statistics on how many times of all the times an iPhone has been stolen that this has occurred? Can you cite one time?

Hundreds of reported cases in NYC alone - https://www.wsj.com/podcasts/tech-n...-minutes/1f55ec3a-f7d1-48ea-9090-3fb87f32656e

Yes, it is an Apple design flaw that Apple allows an Apple ID password to be changed on a iPhone by only a phone's passcode.

 

[papbot]

No and it’s not a problem. Yes, there are edge cases where this can occur but if it does it is your fault and not Apple’s.

You can’t engineer for everything, period. So why not provide some statistics on how many times of all the times an iPhone has been stolen that this has occurred? Can you cite one time?

This was the takeaway from the article : “The biggest takeaway we hope readers have of this piece is to strengthen their passcode. Longer passcodes are harder to what's called shoulder surf. They're harder to snoop. So if you don't have a six-digit passcode that's complex, and 111111 does not count, so long and complex passcodes are the key.”

it was also mentioned that Android devices pose the same risks. Many if not most of the reported incidents were from bar surfing people who were putting in their passcodes. Alcohol and carelessness - always a bad mix. As I’ve mentioned before I’ve never had to enter my passcode ( 6 characters ) in public and wouldn’t be doing it in a crowded bar anyway. Apple can try to protect you from yourself but won’t always be successful without creating further problems.

 

[sk1ski1]

This was the takeaway from the article : “The biggest takeaway we hope readers have of this piece is to strengthen their passcode. Longer passcodes are harder to what's called shoulder surf. They're harder to snoop. So if you don't have a six-digit passcode that's complex, and 111111 does not count, so long and complex passcodes are the key.”

it was also mentioned that Android devices pose the same risks. Many if not most of the reported incidents were from bar surfing people who were putting in their passcodes. Alcohol and carelessness - always a bad mix. As I’ve mentioned before I’ve never had to enter my passcode ( 6 characters ) in public and wouldn’t be doing it in a crowded bar anyway. Apple can try to protect you from yourself but won’t always be successful without creating further problems.

Of course a longer passcode will make it harder to snoop, but not impossible. Also if a theft ring is using cameras (such as security cameras), it won't matter how long you make it. It will all be captured on cameras.

Android has a somewhat similiar problem, but....and it's a BIG but....you can be permanently locked out of your Apple ID and iCloud account. Not the same with Android. Google has the keys to restore your account to you. If a thief turns on Apple's Advanced Data Protection, Apple does not have the key to restore your account. And you will be permanently locked out of your account. You have now permanently lost all your pictures, files, etc in your iCloud account.

 

[papbot]

Of course a longer passcode will make it harder to snoop, but not impossible. Also if a theft ring is using cameras (such as security cameras), it won't matter how long you make it. It will all be captured on cameras.

Android has a somewhat similiar problem, but....and it's a BIG but....you can be permanently locked out of your Apple ID and iCloud account. Not the same with Android. Google has the keys to restore your account to you. If a thief turns on Apple's Advanced Data Protection, Apple does not have the key to restore your account. And you will be permanently locked out of your account. You have now permanently lost all your pictures, files, etc in your iCloud account.

If this is a significant issue which I suspect it isn’t, but my view of things is not necessarily relevant, I would expect Apple to implement certain changes to help prevent this but such changes aren’t always welcomed by users. The basic advice to use caution is still the best advice. From what I’ve seen if I were determined to take advantage of this it wouldn’t be too difficult to do so by just watching for people taking selfies in bars. The number of times I’ve seen someone lay the device down carelessly after doing so in crowds is amazing. Again alcohol and carelessness are a bad mix. But other than a Wall Street Journal article that constantly gets referenced I’ve seen few if any other complaints about this.

 

[sk1ski1]

If this is a significant issue which I suspect it isn’t, but my view of things is not necessarily relevant, I would expect Apple to implement certain changes to help prevent this but such changes aren’t always welcomed by users. The basic advice to use caution is still the best advice. From what I’ve seen if I were determined to take advantage of this it wouldn’t be too difficult to do so by just watching for people taking selfies in bars. The number of times I’ve seen someone lay the device down carelessly after doing so in crowds is amazing. Again alcohol and carelessness are a bad mix. But other than a Wall Street Journal article that constantly gets referenced I’ve seen few if any other complaints about this.

It's a poor security design by Apple, period. And with devastating results. There are better ways to design the change Apple ID password, then by only using the phone's passcode.

Just because you haven't heard of the issue, doesn't mean it doesn't exist. Similar reports in other cities (Austin, Denver, Boston, London, etc) -

Apple kept asking 'have you tried Find My iPhone?' after a woman got locked out of her Apple account and had thousands taken from her bank account when a thief grabbed her iPhone

Reyhan Ayas was standing outside a bar in New York when a man snatched her iPhone and ran off. She said that was only the start of her Apple ordeal.

www.businessinsider.com

 

[Paddle1]

No and it’s not a problem. Yes, there are edge cases where this can occur but if it does it is your fault and not Apple’s.

You can’t engineer for everything, period. So why not provide some statistics on how many times of all the times an iPhone has been stolen that this has occurred? Can you cite one time?

All Apple has to do is put a switch in iCloud to disable password reset with your iPhone passcode.

Not being able to engineer for everything ≠ not making any effort at all.

 

[sk1ski1]

All Apple has to do is put a switch in iCloud to disable password reset with your iPhone passcode.

Not being able to engineer for everything ≠ not making any effort at all.

It's been a reported issue to Apple for at least two years. And has got a lot of press since the beginning of the year. Apple has yet to fix the security design flaw. That is exactly why this thread is asking if they finally fixed it in iOS 17. And the answer is sadly no. No excuse Apple!

 

[papbot]

It's a poor security design by Apple, period. And with devastating results. There are better ways to design the change Apple ID password, then by only using the phone's passcode.

Just because you haven't heard of the issue, doesn't mean it doesn't exist. Similar reports in other cities (Austin, Denver, Boston, London, etc) -

Apple kept asking 'have you tried Find My iPhone?' after a woman got locked out of her Apple account and had thousands taken from her bank account when a thief grabbed her iPhone

Reyhan Ayas was standing outside a bar in New York when a man snatched her iPhone and ran off. She said that was only the start of her Apple ordeal.

www.businessinsider.com

Another careless bar story. I don’t doubt that it has happened. When I became aware of it just looking at the behavior in a couple clubs illustrated how easy it would be. Fortunately the majority of people are not that careless or you would personally know at least several who have had this befall them. Again one Wall Street journal article that almost all these stories link back to.

 

[sk1ski1]

Another careless bar story. I don’t doubt that it has happened. When I became aware of it just looking at the behavior in a couple clubs illustrated how easy it would be. Fortunately the majority of people are not that careless or you would personally know at least several who have had this befall them. Again one Wall Street journal article that almost all these stories link back to.

Are you wildly claiming it can only happen in a bar and only be careless people ? How was the person in the Business Insider article careless ? By entering her passcode in public ? That's what people do if Face-ID fails. Apple shouldn't allow your Apple ID to be changed by only using a phone's passcode, that many people enter in public. But I know there are people that will defend Apple for their flawed design. Fact remains, it's a poor security design by Apple that they should fix.

 

[papbot]

I’ve never had to enter my passcode in public since my older touch id devices. The only time I ever have to enter mine is occasionally when i first get up in the morning. If it were required in a public space I’m sober enough to find some privacy to do so. And yes doing so in a crowded public space is careless. Full stop! This story which always gets thrown around involving the same victims in the same story is tiresome. It’s unfortunate for the person, and I sympathize but it was easily avoidable. You can criticize Apple all you want, they may well change something. But the same carelessness will arise in another way leading to similar stories probably from the same people

 

[sk1ski1]

I’ve never had to enter my passcode in public since my older touch id devices. The only time I ever have to enter mine is occasionally when i first get up in the morning. If it were required in a public space I’m sober enough to find some privacy to do so. And yes doing so in a crowded public space is careless. Full stop! This story which always gets thrown around involving the same victims in the same story is tiresome. It’s unfortunate for the person, and I sympathize but it was easily avoidable. You can criticize Apple all you want, they may well change something. But the same carelessness will arise in another way leading to similar stories probably from the same people

It's careless full stop for Apple to allow the Apple ID password to be changed by only the phone's passcode.