Remember I posted about account access? This is the long story of how that came about.
Picture the scene – You have an old email address you rarely use. It gets the occasional email which is clearly meant for someone else. Mostly Jacquline Lawson eCards or random newsletter signups.
I saw the “1” in red on my 🍎 folder. “Huh, I have an app to update” says I. But no, it’s Mail.app “hey remember me? You’ve got mail!” I open up the app, and there was an email with a subject line (I paraphrase) “Try out these cool features of your physical IoT device”
Well. I don’t have said device.
Now, working for who I work for, I know that this must mean someone has used my email address to sign up for this service.
Click into site, go to the account sign in page, password reset…
I reset the password then logged in. I didn’t touch anything or look at any personal details.
To confirm, someone used my iCloud email address to sign up (as I found out later) in app for this service.
I get on Live Chat and explain the issue.
“One moment please”.
I wait a bit then ask how they’re doing, they reply they’re looking into it but if I want a quicker resolution to call them.
Luckily, I have a bunch of international calling on my mobile plan, eh?
So I call them, explain what has happened and emphasise that they need to have account verification on sign up. We had almost an hour phone conversation and I said I was going to post about it but was going to withhold their name.
That was Friday evening, they emailed a couple of hours:
We will be removing your email address from this account and reaching out to the owner to correct this mistake. Thank you very much for bringing this to our attention and let me know if you continue to get any emails from us aside from our support department.
Question to anyone in the know – is this worthy of a bug bounty? It’s not a code based exploit but I gained access to the account of someone else, and let’s just say the company is very security focused.