The Washington PostDemocracy Dies in Darkness

This is how easy it is to hack someone’s iCloud with their security questions


The “secret question,” writes security researcher Nik Cubrilovic, is the single most popular, most effective way for a hacker to gain access to your online accounts.

How effective? Really effective. Confoundingly so. It’s so easy, in fact, that you don’t need to be a “hacker” to do it. I know because, in the span of less than three minutes, I gained access to my little brother’s Apple iCloud account with information about him that is simply guessed or readily available on the open Web. (Sorry, Andrew!)

The security question is, essentially, the Achilles’ heel of every password-protected site. Facebook requires access to an associated e-mail to change passwords. Sites with two-factor verification necessitate a physical phone. But on certain sites, including iCloud, you can gain access to the account — and change its password — merely by answering a handful of easily guessed or researched questions.

For instance, to gain access to my brother’s account, Apple asked me:

  1. His Apple ID, which is commonly the user’s primary e-mail address. (It was.)
  2. His birth date, which is available on social media. (Easy.)
  3. The city where our parents met. (Super-guessable — it’s the city where my brother lives.)
  4. His childhood nickname. (Also guessable. Like virtually every boy in America, my brother was called for many years by his last name.)

And voila! Just like that, I’m in. If I wanted to, I could browse his photos (… which I’m sure are entirely PG!), or reset his password, or buy music and apps from his account. And that’s just iCloud. On Gmail, where he has regrettably not set up two-step verification, I’m asked only the approximate date he started the account, the names of frequently e-mailed contacts and my dad’s middle name.

Anyone who knows him or has ever known him — relatives, friends, former landlords, jealous exes — would theoretically have that kind of information. And even people who don’t know him could obtain it. Birthdays and personal histories are frequently flaunted on social media; current and past addresses are easily found via Google search; and blunt-force scripts, in the absence of easier solutions, can try millions of possible answers until coming up with the right one.

It makes sense, then, that the Celebgate hackers seem to have accessed the accounts of people such as Jennifer Lawrence and Kirsten Dunst that way, deploying — in the words of Apple’s statement on the subject — “a very targeted attack on user names, passwords and security questions.” Security questions are a gaping, well-documented vulnerability, “the biggest joke in online identity verification.” And yet we still use them. Worse, we use questions like “in which city did your parents meet?” or “what’s your mother’s maiden name?” — minor bumps that can be Googled and gotten out of the way.

Security experts have suggested some solutions, of course: For starters, choose more difficult questions, or consider writing another password instead of the actual answer. (A hacker would be unlikely to guess, for instance, that you always say you’re from the city of YqGAH7nE.) On the corporate level, companies could also move away from knowledge-based authentication — the technical name for all those personal questions — and toward another model, such as location authentication (based on where you are) or biometric authentication (based on things like your fingerprints).

In either case, we’re stuck with this particular system for the present. Which is pretty unfortunate, truth be told: In an age in which oversharing comes standard, there’s precious little about you that nobody else knows.