All geek questions in one place

Setup.icloud.com 2-Step Verification

I play with open source iLoot , which allows iCloud backups to be downloaded, and I was wondering how two authentication factors could be implemented.

I have a 2fa account enabled in my account and I get the first request:

First request:

auth = "Basic %s" % base64.b64encode("%s:%s" % (login, password)) authenticateResponse = plist_request("setup.icloud.com", "POST", "/setup/authenticate/$APPLE_ID$", "", {"Authorization": auth})

plist_request is just a regular python ( request ) function that requests a url from it and returns the parsed xml.

First answer (in xml format):

 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>protocolVersion</key> <string>2</string> <key>title</key> <string>Verification Required</string> <key>localizedError</key> <string>MOBILEME_TERMS_OF_SERVICE_UPDATE</string> <key>message</key> <string>This Apple ID is protected with two-step verification. To sign in, you must verify your identity.</string> </dict> </plist> Request /setup/authenticate/$APPLE_ID$ returned code 409

In case anyone knows what the next call will be for entering a two-step verification code, this can help figure this out.

+5
source share
2 answers

I’m an iOS guy, not a backend guy, but my backend teams decided this on their side using a special password for the application, not tokens.

So the user can create a password for the application: Create a password for the application

Then simply use the email address and this password instead of the token generated by dsPrsID: mmeAuthToken. As I found out for my teammates, you do not need to do base64 encoding, just use this new password and url: ' https://caldav.icloud.com/

Hope this helps. It was a nightmare for us, no help on the Internet.

UPDATE

For more information, these are the steps I used on my side (iOS):

  • I call https://setup.icloud.com/setup/authenticate/ " email@email.com ", setting "Primary email address: password" as the base64 string in the Authorization header field.

  • I am checking the response status code. If 401, it means that the password you send is a special password for the application, so I send this password (and email address) directly to my server using our internal API, and they use it to call the iCloud API and return me calendars, etc.

  • If the response status code is 409, it means that the user tried to log in with a normal password, but his account is enabled for 2fa, and I show an error, warning the user to go and get his application, password and use the one which will lead to step 2 above.

I'm not saying this is the only way, but it worked for me. Also, I don’t know exactly what is happening on the server side, but they use the passwrod-specific application directly (and possibly a letter) to do this work.

+4
source

you need to replace $ appliid $ with your applicator ... then you will get mmeAuthToken, dsPrsID

https setup.icloud.com/setup/get_account_settings dsPrsID: mmeAuthToken as basic auth returns: mmeAuthToken (new / different!)

The following backup request did not work for me ... I'm not that far ...

docs I worked with before:

https://www.elcomsoft.com/PR/recon_2013.pdf https://deepsec.net/docs/Slides/2013/DeepSec_2013_Vladimir_Katalov_-_Cracking_And_Analyzing_Apple_iCloud_Protocols.pdf

Thanks for your post! Brought me to iLoot.

+1
source

Source: https://habr.com/ru/post/1205681/

More articles: