Recently, there was an incident that caught the attention of Shi Chao.
Many friends have found that recently their Apple devices will push some strange advertisements through the family app.
If you pay attention to your message push, every now and then something strange will mix into the notification bar of the iPhone lock screen...
The content inside is nothing more than some malicious psoriatic information such as "Macau Online Casino" and "NNYP", which lies evilly in the "Family Invitation" page.
Look at this wording and copywriting, on what serious families can not play so big ah, this gang engaged in illegal marketing can really do...
Friends who use iPhones should know that this Apple home APP is the launcher of a smart terminal device.
Similar to Mijia, as long as the home device supports HomeKit, it can remotely control the smart home through this app.
It pushes the principle of invitation is also very simple, send invitations to other users through the family app, as long as you know each other's mailbox, you can make indiscriminate invitations, as long as the mailbox is not wrong, anyone can receive...
It is such a "harmless" app, how is it targeted by those illegal marketing?
Apple's security privacy technology tree is not full, how can it be easily broken by these spam information?
Does it mean that harassment is not under privacy control? ▼
Ah, Apple wants to divide the pot in half, their pot is that it has not cared about this loophole, it has been placed there for several years, and the official has not yet given a clear solution.
The other half of the pot is still the problem of personal information leakage that is now rampant.
Let's talk about one thing at a time, first of all, let's talk about the implementation principle of this kind of garbage push.
As we all know, Apple is a company that emphasizes the user experience in the ecosystem, whether it is between iPhone and iPad, or between iPhone and Mac, there is a strong correlation.
For example, if you want to use your iPhone to send a picture or a video to another friend who uses an iPhone, you can send it directly through Airdrop.
Or a friend comes to the house as a guest and wants to connect to the Wi-Fi in your home, Apple devices can directly share after adding a friend in the address book, without having to manually enter the password.
This "sharing" concept has a lot of in Apple's ecology, which not only has a strong tandem effect between devices, but also binds users with the ecology and broadens the group of apple devices.
But everything has a double-edged sword, and while "sharing" brings convenience, there are also many security risks.
Before there were netizens on the subway received airdrop from strangers, once the automatic reception on their mobile phones is not turned off, there is a high probability of being subject to some very strange content.
There is also a possibility of sexual harassment content...
However, after turning off the stranger push of Airdrop, this problem can basically be contained, and the more troublesome thing is to launch a message to strangers through invitations.
Including the family app mentioned at the beginning of the article, malicious information sent through invitations such as photo sharing and calendar reminders is more troublesome.
These criminals are very clever, and they will first buy thousands of packaged mailbox information from illegal channels.
In the gray industrial chain of these personal information on the Internet, the price is often clearly marked, and the prices of different categories are not the same, and people like Shichao who usually like to play games will have a particularly low unit price information.
After collecting the mailbox information, they will use apple devices in the background to send group invitations, which is actually fishing, fishing for those "Apple users" live fish...
Because no matter what method is used, the huge personal mailbox information itself has no value, and more than half of these mailboxes are zombie mailboxes or low-value mailboxes with low usage.
For criminals, if you want to make these mailboxes valuable, you must do the screening.
The fastest way to filter out is to determine how many people in these mailboxes are Apple users, after all, they all use this mailbox to register apple ID, and the value of the mailbox is generally not too bad.
The box below is the mailbox sent by the criminals. ▼
So joining what "Online Casinos" is, in most cases, not the goal, they want to be the purpose of getting users to click on the "reject" or "accept" in the invitation mechanism.
After sending the invitation, although the bad people have no way of knowing whether it has been sent to the Apple user, once the user clicks "reject" or "accept", it is equivalent to telling them in disguise that the owner of the mailbox is an Apple user.
Simply put, we just click and we're hooked.
Once the other party knows that this is an Apple user, the value of the mailbox is multiplied several times.
As for whether to sell the mailbox information later, or send targeted marketing content to the mailbox, it really becomes the fish on the board, and the braised steaming is delicious.
Overall, this vulnerability on Apple's platform has always existed, but there has never been a good solution.
At present, it is more reliable to turn off the family, calendar, and iCloud photos functions in the iCloud settings, no longer accept any invitations, or simply delete the app.
However, some netizens have also reported on the official website that even if the App is deleted, it can still receive spam messages, and it cannot be done once and for all.
There are even cases where you can't refuse
The rest of the way is to ignore it and leave it alone.
Fuck the egg again, I have to endure...
Shichao feels that Apple officially wants to close this loophole is also simple, just like AirDrop, limit the scope of the invitation to only limited to contacts, is not the end of the matter?
AirDrop can do it, how can "sharing" not be able to do it?
This is not a difficult vulnerability to fix, and leaving the option to the user does not have to carry the pot themselves, and it can solve the problem.
The next time it is "shared", it may be more than "Macau Online Casino".
Author: Jihao Editor: Polygon Line
Image source:
support.apple.com
CnBeta: Men on the subway "airdrop" indecent photos caught teach you to turn off the AirDrop feature
PCMag:How to Use AirDrop