The app looks poorly made and there are clear spelling mistakes plus the fact that it was not offered by TikTok which should have made you suspicious. It sucks this happened but maybe you should have done some research and checked if this app actually did belong to TikTok. I assume the app also asked you to login to Facebook directly rather than OAuth which should also made you suspicious.

I've often heard the argument that scams add spelling mistakes to only catch the idiots that have a high conversion rate for the scam. That doesn't feel like it makes sense on something like this which is highly sophisticated. Is it just bad quality?

My point was that official applications rarely ever include them, not that it was intentionally placed there.

> you should have done some research

Just to be clear, this didn't happen to me. I just posted what Niek van der Maas wrote on his GitHub. I don't think he's even reading this HN thread, so no use giving him advice.

Very American opinion. You are aware that there's a lot of non-native English speakers who can absolutely miss a few typos?

My apologies, I missed that possibility. The app still looks poorly put together regardless.

reCAPTCHA v3 is supposed to be frictionless so there would be no use for this as the user does not need to solve anything.

The user solves the puzzle by behaving like a human.

I doubt they would cost the same as regular iPhones.

Does it matter what they cost if scammers could net tens/hundreds of thousands for a single one? (Assuming they pick targets right)

People with tens/hundreds of thousands of dollars are buying iPhones from random third parties?

It's easier than that. You simply modify the special phone to broadcast the unlock PIN being entered in realtime. You set the background to the same wallpaper as the target's phone.

You swap it physically for the target's phone on the table, netting you the target device.

Moments later, when they pick up a phone that looks just like their own and enters a PIN several times, you now have both their phone (from when you swapped it) and the PIN to unlock it (from the broadcast), allowing you full use of the device, offline, at your leisure. The target is now confused why their phone isn't unlocking, and may not detect the attack for hours.

Apple really should put these audit devices in a big, boxy, couldn't possibly-be-mistaken-for-an-iPhone case.

> The target is now confused why their phone isn't unlocking, and may not detect the attack for hours.

You might as well let the user in while you’re at it, so it’s truly undetectable.

> Apple really should put these audit devices in a big, boxy, couldn't possibly-be-mistaken-for-an-iPhone case.

Someone in Shenzhen is spinning up their CNC machine as you speak to change that to “you could probably show it to a Genius and they wouldn’t be able to tell at a glance”.

You couldn’t, without the data on the stolen target phone. The attack ends with the victim in physical possession of the security research device.

I was thinking that the board might need to be larger, too, to make sure it couldn’t easily be transplanted.

> I was thinking that the board might need to be larger, too, to make sure it couldn’t easily be transplanted.

Wouldn't that be costly from an assembly perspective? Economies of scale and all that.

Idk, this all seems much too spy-novel-esque for me. You could also install a hidden camera in the victim's room, or modify the phone to capture the video-out signal.

Apple is retaining ownership of the devices, as mentioned in the article. They are not for sale. The per-device cost is not hugely relevant.

It sounds like a spy novel because spies spy on people who use regular, everyday hardware. A rooted iPhone is an extremely useful tool to that end.

> It sounds like a spy novel because spies spy on people who use regular, everyday hardware. A rooted iPhone is an extremely useful tool to that end.

Do you know of any instances where this happened with devices that can be rooted? (Computers, most Android phones, iPhones vulnerable to Checkm8)

Barton Gellman wrote about this very thing happening to his iPad (remote jailbreak/root) when he was working with Snowden, in his book Dark Mirror.

The leveraging of Android malware for espionage (corporate and military both) is well-documented in the media.

So get a regular iPhone, disable the lock-screen timer, slap an app on it that mimics the unlock screen. No specialty hardware needed.

You could do that with jailbroken phones today.

A scam that requires an individually targeted bespoke device that nets tens or hundreds of thousands (how does that even work? how would the proceeds be exfiltrated untraceably?) is just a really expensive way to have a very short career as a scammer.

They social engineered access to a Twitter employees internal account, not the individual end users affected.

I understand, but that sort of behaviour should have been thwarted quickly by their security team or policies setup against abuse.

Yep, for one, you shouldn’t be able to just hand over your credentials to other people and they can immediately start doing stuff in your systems.

Also, the ability to impersonate people (not just celebrities) should require at least manual approvals. Not sure why this ability even exists.

The original speculation (that it was an API vulnerability) is actually easier to stomach.

The account was fully hijacked, email and password changed, 2FA was disabled. At that point the account basically belonged to someone else. I don’t think they realized the scope and angle of the attack.

The attacker must have added some high level access, for it to be still ongoing.

Argon2 supports peppering/secret parameter where it does a HMAC internally.

Yep. When at all possible, use cryptographic tools that natively support the features you want rather than trying to bolt them on top yourself.

So, how does one build a card network?

It's easy, you just convince a plurality of banks to honor your IOUs.