



What harm could someone do with access to a user’s Apple ID? If the motive is simple vandalism, like in the case of Wired writer Mat Honan, Apple’s "Find My..." services make it easy to remotely wipe a user’s phone, tablet, or computer. Email, iMessage, iChat, or Facetime allows hackers to read or send private messages as the user, and iCloud would allow them to read, create, or deface other files as well.

More startling is the possibility that a password reset allows the hack to spiral out, iterating from one user to the next and from online to offline. Access to a user’s contacts gives a hacker access to a fresh pool of email addresses and dates of birth; access to iMessage gives them the specific email address associated with those contacts’ Apple IDs. "Find My iPhone," "Find My Friends," and Calendar can let you know where, when, and with whom a user and his or her contacts can likely be found. This can be particularly devastating if it’s a hack targeted at a particular user, with the specific goal of causing physical or material harm to that person or someone close to them.

But the real play here for both vandals and professional criminals is for personal data and documents. With an unlocked Apple ID, data can be harvested either through services like email or iMessage, or more likely by cracking open cloud backups of users’ devices. These backups contain app data, app and system settings (but not passwords), as well as photos and videos, text messages, voice mails, and other data.

It’s the equivalent of breaking into someone’s home by opening a first-floor window someone forgot to lock

"Apple doesn't give a lot of detail about what gets backed up, but presumably everything on your phone is now in the cloud, assuming you do the default setup on an iPhone," says Green. "So that's a lot of data that's now protected using essentially the same security system that was just protecting your iTunes account" three or four years ago.

It would be easy to retrieve copies of device backups, documents, contacts, mail, and messages from the cloud but otherwise leave a user’s profile intact; by the time a user knows something is amiss, he or she would only be aware that his or her old password is no longer functioning. Criminals don’t need continued access to users’ digital identities if they can browse full copies of their cloud data at leisure. Even strong encryption can be broken when time is no longer a factor.

All of this underscores the seriousness of Apple’s security lapse with iForgot. This was a high-priority system defeated with an extremely common form submission hack. It’s the equivalent of breaking into someone’s home by opening a first-floor window someone forgot to lock. Then imagine it happening again and again and again.

But Apple’s status as the largest technology company in the world, and the unique level of trust Apple users have in its systems, actually makes it worse than that. "Imagine that the Secret Service left the front door of the White House unlocked, forgot to turn on the security system, and then it was discovered that the entire protection detail had gone out to a bar, leaving the president completely unprotected," says Green. "That's the analogy that I would give to this particular bug."