Security Bits Logo no alpha channel

Security Bits — 30 April 2023

Feedback & Followups

  • 🇺🇸 US Facebook users can now claim their share of the Cambridge Analytica settlement —…
  • 🇬🇧 The battle against the UK’s daft plan to ban End-to-End Encryption goes on, with WhatsApp taking the lead on an open letter to the government —…

Deep Dive 1 — A Sting in the Tail on the iPhone Passcode Story

Following on from their recent excellent reporting on how criminal gangs are stealing people’s iPhones after getting their phone passcodes and then utterly ruining their digital lives by completely taking over their Apple IDs, Joanna Stern and Nicole Nguyen are back with a followup — attackers have found another way to leverage the access they are getting to phones to permanently lock victims out of their Apple IDs.

Some time ago, Apple added an optional feature where users could choose to take responsibility for their own Apple ID recovery by enabling a Recovery Key. Normally, Apple hold an Apple ID’s recovery key, and if you jump through all their hoops to prove your identity, they can let you back in to an Apple ID you’ve lost access to. For people who do not want to trust Apple, they can choose to take over the responsibility for account recovery from Apple by enabling a Recovery Key on their Apple ID. When you do this, Apple make it very clear that they will be unable (not unwilling, unable) to recover your Apple ID if you do this, and that you are taking over full responsibility for protecting and storing this vital key.

Most people don’t enable a recovery key, because having Apple able to help when you get locked out of your Apple ID is a feature for most people, not a bug!

However, as things stand, all you need to enable a recovery key on an Apple ID is:

  1. Access to logged-in Apple device
  2. The passcode for that device

You can see where this is going — attackers are observing people unlocking their phones, stealing their phones, changing the Apple ID password to lock the true owner out immediately, then setting a recovery key to lock them out permanently. They can then disable activation lock on the stolen device and sell it, without the true owner being able to remotely wipe it etc.

The only protection for now would be to set a recovery key yourself, but that’s taking on a big responsibility, so until Apple make it more difficult to set a recovery key, just remember it’s even more important than we already knew to protect your iPhone passcode!


Deep Dive 2 — Attackers are Focusing on the Mac More and More

TL;DR — the sky is not falling, there’s no need to panic, but attackers are paying ever more attention to the Mac, so the time for any lingering complacency is well and truly over!

Two news stories broke in the last few weeks to drive home this point.

  1. An apparently experimental Mac version of a common ransomware malware was discovered in the wild
  2. A Mac-specific data stealing trojan was discovered for sale on Telegram

Apple malware sleuth extraordinaire Patrick Wardle reported the discovery of what appears to be an early beta of a Mac version of the ransomware widely deployed by the notorious LockBit cyber crime gang. The good news is that the Mac malware was clearly and early-stage experiment with so many bugs it actually crashed on launch, it still shows where the attackers are focusing their attention. So, today, this version of this malware appears to pose no real risk to regular users, that’s not likely to remain the case for long 🙁

Separately, researchers as the company Cyble reported discovering a data stealer for the Mac for sale on an underground Telegram Channel. The malware was sold as a data-stealing-as-a-service toolkit for $1K per month. That shows the economic value cybercriminals see in Mac users. The malware is being advertised as Atomic macOS Stealer, or AMOS for short.

The malware is pretty powerful, stealing passwords from the keychain, interesting-looking files, passwords and form-fill-ins from all the major browsers, and draining funds from many popular crypto wallets.

The silver lining is that this is a trojan, so it relies on social engineering to trick victims into running the installer, and then, into entering their password into the Malware. That’s how it can steal the contents of users’ keychains.


  1. Apple’s Macs have long escaped ransomware, but that may be changing —
  2. Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram —…

❗ Action Alerts

Bash script to find all of your Electron Apps:

  1. Download this zip file of a tiny Bash script to your Downloads folder:
  2. Double-click the zip file to uncompress it so you can use the script
  3. Look at the script in a text editor to make sure you can trust a script you downloaded from the Internet!
  4. Open the Terminal (it’s in Applications/Utilities)

  5. Change directory to your Downloads folder by typing into the Terminal
    cd ~/Downloads

  6. Make the script executable by typing:
    chmod +x
  7. Run the script by typing:

If you’re running any Electron apps you should them listed like this:

/Applications/ uses Electron
/Applications/ uses Electron
/Applications/ uses Electron
/Applications/ uses Electron

Notable News

  • Details are sparse, but CitizenLab have announced that they have discovered updated versions of Pegasus using zero-click exploits against iOS 15 & 16. Because the cat-and-mouse game is ongoing, they’re keeping some of the details to themselves, but at least some are patched in the latest versions of the OS, and lockdown mode is providing at least some protection –…
  • Google has added 2FA sync to Google Authenticator, but don’t use it yet, they haven’t gotten around to adding an option for E2E encryption yet —…
  • 🇫🇮 Ex-CEO of breached pyschotherapy clinic gets prison sentence for bad data security —… (lost ~30k patient records)
  • 🇺🇸 Google has won an injunction against a crimeware gang in Pakistan in the US, and part of the judgement instructs ISPs to take “reasonable steps to identify” and “reasonable steps to block” traffic from the gang’s botnet —…

Excellent Explainers

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top