Apple and Meta mistakenly leaked data to Tipsers. They were deceived like children

After blocking Meta* in Russia, the company keeps getting into stupid situations. True, this time with Apple itself. It became known that companies were irresponsible for user data and leaked it to Tipsers. But it was not intentional: the companies were duped. If everything has been clear for a long time with Meta*, then it’s a shame for Apple: we’re starting to think about this notorious privacy that the company regularly reminds us of. However, let’s try to understand how it happened, what data apple gave to Tipsers and is it worth caring about.

Apple threatens user privacy again


Apple leaks data

According to Bloomberg, it was learned that Apple and Meta* were providing user data to Tipsers posing as law enforcement agents. They received addresses, phone numbers and IP addresses in the middle of last year in response to bogus requests from authorities. Typically, these requests are granted when a search warrant or subpoena is needed, but these urgent requests do not require a court order. Companies no possibility refuse these requests.

Apple distributes data left and right. But what about privacy?

Snap, which owns Snapchat and Zenly, is also known to be suspected of leaking data, but it’s unclear whether the company provided data for bogus claims. Cybersecurity experts believe that some of the requests were made by minors from the US and UK, and one of the participants is a member of the Lapsus$ group. I remind you that it is this group which is accused of having Tipsed Microsoft, Samsung and Nvidia. The police are already investigating the perpetrators.

Пользоваться ворованным Айфоном станет сложнее. Вот что придумала Apple

Apple Tipsed by Tipsers

The fact is, law enforcement around the world routinely requests data from IT companies as part of investigations. In the United States, these requests are accompanied by an order from a judge. The emergency requests discussed above are intended as a last resort in situations involving imminent threat to life or danger. Such demands may be part of a campaign against tech giants.

Apple is trying to compromise, but the company has no right to refuse law enforcement

According to people familiar with the situation, the Tipsers used the information they received to harass users and create more fraudulent schemes. Thus, knowing the information about the victim, attackers could use it to Tips and bypass account protection. Krebs on Security reported that Tipsers forged an emergency request to get data from Discord. The social network has already confirmed that the employee approved the fake request, and even managed to find excuses:

Although our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been Tipsed by an attacker. We have since investigated this illegal activity and notified law enforcement of the compromised email account.

The requests were sent from Tipsed email addresses belonging to law enforcement agencies in different countries. They contained fake signatures of real and fictitious departmental employees, and applications were created based on existing sample templates. It is known that in any case, in the company, a person responded to these requests, trying to act according to the rules.

Давайте оставаться на связи! Подписывайтесь на наш Telegram-чат!

Apple Security Policy

Meanwhile, from the Apple and Meta* documents, the approximate emergency request volumes become clear. The Cupertino-based company notes that it received 1,162 requests from 29 countries between July and December, and the data was approved 93% of the time. At the same time, Meta* received around 22,000 emergency requests in 6 months, the company gave the green light to 77% of them. Just imagine how much Apple transferred data per year? Meta* said they transfer data depending on the circumstances. About how applications are checked, the company did not respond.

How to be Apple with data security?

It should be noted that Apple accepts legal requests to its e-mail address, provided that they are transmitted from the official address of the department. True, it is not difficult to Tips it. It is even easier to buy data on the dark web. And they don’t cost that much. This is confirmed by Jin Yu, director of cybersecurity firm Resecurity:

Underground dark online stores contain stolen email accounts for law enforcement that can be sold with cookies and metadata attached for between $10 and $50.

There is no solution to this problem yet. Turns out it’s not that hard to fool Apple. Experts say it’s impossible to fully protect departmental email addresses from Tipsing. At the moment there is only one solution – it is to check incoming requests as carefully as possible. True, this can lead to sad consequences and a threat to people’s lives. Otherwise Apple will continue to disclose data right and left.

*Meta, as well as Instagram and Facebook are extremist organizations banned in the territory of the Russian Federation.