Real Apple notifications are being used to drive tech support scams

Scammers have found a way to abuse legitimate Apple account notification emails to trick targets into calling fake tech support numbers. According to a report from BleepingComputer, scammers create an Apple account and insert a phishing message into the personal information fields, then modify th...

CVE-2026-31813 Supabase Auth has insecure Apple and Azure authentication with ID tokens

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...

Apple Pay phish uses fake support calls to steal payment details

It started with an email that looked boringly familiar: Apple logo, a clean layout, and a subject line designed to make the target’s stomach drop. The message claimed Apple has stopped a high‑value Apple Pay charge at an Apple Store, complete with a case ID, timestamp, and a warning that the...

Stolen iPhones are locked tight, until scammers phish your Apple ID credentials

One of the reassuring things about owning an iPhone was knowing you could lock it if it got lost or stolen. Without your passcode, fingerprint or face to unlock it, it would be useless to anyone else. Now, though, some phone thieves have found a workaround, not by breaking Apple's security, but b...

EUVD-2017-16176

Malware in sbrugna...

EUVD-2017-11580

Malware in sbrugna...

EUVD-2020-30625

Malware in sbrugna...

EUVD-2014-4426

Malware in sbrugna...

EUVD-2021-17815

Malware in sbrugna...

EUVD-2018-16110

Malware in sbrugna...

EUVD-2021-17911

Malware in sbrugna...

A week in security (July 28 – August 3)

Last week on Malwarebytes Labs: Apple ID scam leads to $27,000 in-person theft of Ohio man OpenAI kills "short-lived experiment" where ChatGPT chats could be found on Google Trump Administration and Big Tech want you to share your health data Prison visitor details shared with all inmates at...

Apple ID scam leads to $27,000 in-person theft of Ohio man

You've probably heard about people scamming from halfway around the world, but sometimes they turn up at your door. That's what happened in May, when 67 year-old Robert Wise of Ohio received a text telling him that his Apple ID had been compromised. It had been used at an Apple store for a $213...

CVE-2024-40862

A privacy issue was addressed by removing sensitive data. This issue is fixed in Xcode 16. An attacker may be able to determine the Apple ID of the owner of the computer...

CVE-2023-42855

This issue was addressed with improved state management. This issue is fixed in iOS 17.1 and iPadOS 17.1. An attacker with physical access may be able to silently persist an Apple ID on an erased device...

CVE-2021-30898

An access issue was addressed with additional sandbox restrictions on third party applications. This issue is fixed in iOS 15 and iPadOS 15. A malicious application may be able to access some of the user's Apple ID information, or recent in-app search terms...

CVE-2020-9846

A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.0.1. A malicious application may be able to access local users' Apple IDs...

CVE-2018-4324

A permissions issue existed in the handling of the Apple ID. This issue was addressed with improved access controls. This issue affected versions prior to macOS Mojave 10.14...

CVE-2013-5193

The App Store component in Apple iOS before 7.0.4 does not properly enforce an intended transaction-time password requirement, which allows local users to complete a 1 App purchase or 2 In-App purchase by leveraging previous entry of Apple ID credentials...

CVE-2024-40862

A privacy issue was addressed by removing sensitive data. This issue is fixed in Xcode 16. An attacker may be able to determine the Apple ID of the owner of the computer...