On my Yosemite OSX machine I often get an ICloud prompt after awaking from sleep or after a reboot like this
what program is causing this? Is it a valid Apple one or one trying to get my password?
I have not knowingly set an app-specific password.
and in normal use ie not just after awake I got the box again but a more interesting log
24/03/2016 11:51:12.488 identityservicesd[8431]: [Warning] Registration failed for Registration info (0x7ff8e1435230): [Registered: NO] [Type: AppleID] [Device Name: (null)] [Service Type: com.apple.private.alloy.maps] [Env: (null)] [Main ID: example@mac.com] [Phone Number: example@mac.com] [AppleID: example@mac.com] [UserID: E: example@mac.com] [C2K: NO] [Push Token: <f72dd563 26eccf96 f9e058ca b26ff2b7 fa67c0e9 e7b8e17e a9c86f31 c8d5f217>] [Region ID: R:GB] [Base Number: +440000000000] [URIs: ()] [Candidates: (example@mac.com, example@icloud.com, example@me.com)] [Auth Cert: 0x0] [Reg Cert: 0x0] [Profile ID: D:53092237] [Auth User ID: (null)] [Heartbeat Date: (null)] (Error: 0)
From that list of contacts it does look message related but still what proof is that this is from Apple and note my Message does not work even if I provide a password(see other question)
Best Answer
The process displaying the iCloud Password window on OS X Yosemite is:
The way to confirm: navigate to and read the contents of the answers under this question on SuperUser:
The first one contains a link to a blog post describing a way to debug the very same problem (iCloud Password window). Author suggests running the following script and moving the window in question with a mouse/trackpad. The script discovers position change and prints the details of a window that was moved.
The other answer points to a github project mac_list_windows_pids with a Python script that lists currently active windows and their processes. You can run it twice with the iCloud Password window active and after closing, save the results to text files and
diff
them.Both scripts in my case pointed to
UserNotificationCenter
process, which afterps -ef
revealed the following executable:For ultimate confirmation you can check if the window would disappear after:
Next you can check the validity of the app's signature using the following command:
And check the signature with (with results from my OS X 10.10.5 (14F1605) for reference):
Also for reference SHA of the executable is
301e4caa71c9e0add012705c2e61be97d801717c
.Of course everyone should test for themselves to make sure no other program impersonates this window.
While not related, there is a report that a phishing method mimicking the iCloud password prompt has been used on iOS, so it is a valid concern.
As for the problem itself it seems to be commonly reported. Disabling the
UserNotificationCenter
with the following command prevented the window from appearing: