Apple's autofill feature for two-factor authentication makes entering verification codes received via SMS effortless. The problem is that phishing attackers know how to exploit this. Now Apple has made changes to its own services.
Apple's change essentially means that every time Apple sends you a new SMS as a form of two-factor authentication, the message will only be available for autofill on Apple services and websites because a new boilerplate has been added, making it inaccessible to phishing sites claiming to be from Apple. As Macworld reported, this step was proposed over a year ago - in August 2020, to be exact. The new messages contain more text than usual - and have been playing out for several weeks now.
- A normal, human-readable message, including the code, followed by a newline.
- The scoped domain as @domain.tld.
- The code is repeated again as #123456.
- Wenn die Website ein eingebettetes HTML-Element, einen sogenannten iframe, verwendet, wird die Quelle des iframe nach dem % aufgeführt, z. B. %ecommerce.example. (In der ursprünglichen Spezifikation ist @ angegeben; Apple scheint % für seine Texte zu verwenden).
Apple has changed the appearance of SMS messages for 2FA queries
The whole system works similarly to password managers and iCloud Keychain, which only display a password on a specific website or in an associated app. This means that fake websites cannot use the autofill feature to accept a code for two-factor authentication because iOS, iPadOS and macOS recognize that the domains do not match.
iOS, iPadOS and macOS offer to fill in the code that was last received via SMS in the Messages app in any properly formatted field - even the verification code field on a phishing website. This makes it too easy for scammers. However, if the text message is designed as Apple suggested, the operating systems starting with iOS 15, iPadOS 15 and macOS 11 Big Sur only offer autofill for websites that match the domain name. The security is not perfect but it is a simple update to strengthen defenses.
So in the future, if you receive an SMS verification code and no autofill is offered, you should take a close look at the domain name. Or even better: always use your own bookmarks or type URLs manually instead of clicking on links. (Photo by manae / Bigstockphoto)
