“MFA Bombing” Targets Apple Users: Password Reset Flaw Exposed

by ·

Apple users have encountered a cunning phishing scheme that exploits a vulnerability in the password reset function. Victims find their devices bombarded with such an overwhelming number of system notifications that the smartphone becomes virtually unusable without addressing each alert.

Entrepreneur Parth fell prey to such an attack and shared his ordeal on X, detailing how his devices, including his watch, laptop, and phone, were inundated with notifications approving a password change.

Over several days, the requests relentlessly bombarded his phone. After declining all Apple’s password reset requests, Patel soon received a call from someone claiming to be from Apple’s support service, with a caller ID that matched the company’s genuine customer support line. However, despite having his accurate information, the caller failed to correctly identify Patel’s real name, instead using a name associated with Patel on a people search website. Eventually, Patel received a one-time SMS code but did not divulge it to the scammers and hung up the call.

The fraudsters’ objective is to acquire the one-time Apple ID reset code, enabling them to reset the password, lock the account owner out, and remotely erase all data from the victim’s device.

This phishing method, known as MFA Bombing (MFA Fatigue), exploits a feature or vulnerability in the multi-factor authentication system, generating a flood of notifications on the victim’s device. Such attacks can be particularly effective if the attackers know the phone number associated with an Apple account.

In response to the growing threat of MFA Bombing, Microsoft has begun implementing additional security measures, such as the MFA number check function, which requires users to enter numbers displayed on the screen into the authenticator app to confirm system access.

Experts are urging Apple to enhance security measures and consider introducing additional restrictions on the frequency of password reset requests to prevent similar attacks in the future. At the time of publication, Apple has not commented on the situation, raising concerns among users about the security of their data and devices.

Tags: