Apple Now Letting Apple IDs With Third-Party Email Addresses Be Updated to Apple Email Addresses

Apple today made a small change to the way Apple IDs work, and for the first time, Apple customers who have an Apple ID that uses a third-party email address can update that Apple ID to use an Apple @icloud.com, @me.com, or @mac.com email address.

Prior to today, an Apple ID that used a third-party email address could be changed to another third-party email address, but there wasn't an option to use one of the Apple email accounts that are created when an Apple ID is made.


The change was outlined by MacRumors reader Dillon, who sent an email to several executives earlier this month asking for the problem to be changed. Dillon was contacted by Apple Executive Relations last week and was told Apple's engineering team would look into the problem. He received a second phone call today, letting him know the issue had been fixed. From Dillon:
For a long time if you had an Apple ID that used a 3rd party email address as your Apple ID you were unable to change it to an Apple email address... even if the Apple address was on the same account.

I couple of weeks ago I sent an email addressed to Tim Cook, Craig Federighi, Phil Schiller, and Eddy Cue. I explained the situation and asked if they could fix it. Last week I received an email and phone call from someone at Apple Executive Relations. The women I spoke to told me that the problem would be sent to an engineering team and would be addressed. Today I got another call and email informing me that the issue had been resolved.

I tried it out and sure enough... I can finally set my Apple email as my Apple ID!
Apple's "Change Your Apple ID" support document was today updated to reflect the updates made to the Apple ID, and it now includes a section confirming a third-party email address can be changed to an @icloud.com, @me.com, or @mac.com email address.

When swapping from a third-party Apple ID email address to an email address ending in @icloud.com, @me.com, or @mac.com, Apple warns that there is no way to change it back to a third-party email account.
If you enter a new Apple ID that ends with @icloud.com, @me.com, or @mac.com, you see a message to confirm. When you change your Apple ID to an @icloud.com, @me.com, or @mac.com account, you can't change it back to a third-party email account. Your former Apple ID that ends with a third-party email, becomes an additional email address for your Apple ID account.
This should be a welcome change for all Apple customers who have wanted to change their Apple ID addresses to an official Apple email address. Those who want to go ahead and swap should read Apple's support document and follow all of the steps, which include signing out of all iOS devices before making the change.


Discuss this article in our forums

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.


Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.


The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.


Discuss this article in our forums

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.


Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.


The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.


Discuss this article in our forums