If you're doing something on your iPhone, iPad, or Mac and you suddenly get a pop-up asking you to reset your Apple ID password, it's understandable that you might feel a little panicked. The thing is, this does happen, and if it happens to you, you should proceed with caution, but not panic.
What's behind the Apple ID password reset attack
As Krebs on Security explains, bad actors are attacking Apple users by spamming their devices with password reset requests. These pop-ups won't disappear unless you close or interact with them via the Allow or Don't Allow options, which means that in order to continue using your device, you'll need to keep clicking Don't Allow .
The pop-up itself isn't necessarily evil: it's how Apple allows you to change your Apple ID password on an untrusted device or network. Let's say you've forgotten your Apple ID password and reset it through Apple's password reset website: After entering the appropriate amount of information, Apple will send a pop-up to your trusted connected device to approve the reset process. Once approved, you can enter your new password.
However, bad actors are exploiting certain vulnerabilities in Apple's MFA (multi-factor authentication) process to not only send these reset pop-ups to your device, but also to send you actual spam. You might close that pop-up, but receive another one almost immediately. One victim had to close more than 100 pop-ups before it finally stopped.
While we don’t know exactly how attackers spam users with pop-ups, it’s not hard to imagine how they target their victims. When you visit Apple's password reset website, you'll need to present your Apple ID and phone number. If an attacker knows these two credentials of yours, they can trigger a reset popup.
Of course, you don't want to click "Allow." When you do this, anyone who initiated this password request will be able to change your password on your behalf. When they do this, they will be able to log into your account on their device and lock you out. While it's scary enough that it's easy to accidentally click "Allow" after receiving spam messages multiple times, what's even more worrying is that the pop-up also appears on your Apple Watch. Krebs on Security reports that one victim received the pop-up on his watch while sleeping: I can imagine myself accidentally clicking "Allow" while half asleep, just to ignore the notification.
If you click "Don't allow" it's not over yet
Even if you are able to wait for the attacker and ignore these notifications over and over again, they will resort to another tactic. Since they have your phone number, they will call you directly and pretend to be their number as Apple Support. (When a call comes in, it will directly display the official Apple support number.)
If you answer the call, the attacker will try to make you believe they are from Apple support, perhaps providing some information they have about you as "evidence." Once they trick you, they trigger an SMS-based OTP (one-time password) code that Apple uses to prove your identity when logging into unfamiliar places. Do not share this code with anyone . Apple even includes this warning in the text it sends you. While ideally you wouldn't talk to the attacker in the first place, if you're already in this situation, know that Apple support will never ask for this code on their own.
Unfortunately, there doesn't seem to be any way to protect you from these spam pop-ups if an attacker already has your Apple ID and phone number. The only thing left to do is change your phone number, in which case that might be more trouble than it's worth. (But if you have other reasons to do it, it might be worth it.) We'll just have to wait for Apple to fix whatever loopholes these bad actors are using to protect us. In the meantime, don't trust anyone and don't click "Allow" or "OK" on unsolicited pop-ups.
