FYI. Just got a message from a student of mine that he got my wallet cards injected into his icloud account after just logging into the Apple vision Pro which i've been testing months ago for our University. After going over the logging out icloud and erasing all data etc.
Apple Vision Pro
You used a third party app, not Apple Wallet. Hence what I wrote above would not apply to you. Third party apps are not stored securely in the Secure Element or Secure Enclave.
Evidently you didn’t complete a final step or two when erasing the device. You needed to turn off FindMy if enabled for the device and remove device from your Apple Account.
Pass2U may have iCloud storage and syncing privileges if you enabled it in your iCloud Settings on your iPhone.
Please follow this path,
iPhone > Settings > Apple Account (Your Name at top of screen) > Save to iCloud – See All > scroll down > Pass2U > disable.
iPhone > Settings > Apple Account (Your Name at top of screen) > Drive > Apps Syncing to iCloud Drive > scroll down > Pass2U > disable
You used a third party app, not Apple Wallet. Hence what I wrote above would not apply to you. Third party apps are not stored securely in the Secure Element or Secure Enclave.
Evidently you didn’t complete a final step or two when erasing the device. You needed to turn off FindMy if enabled for the device and remove device from your Apple Account.
Pass2U may have iCloud storage and syncing privileges if you enabled it in your iCloud Settings on your iPhone.
Please follow this path,
iPhone > Settings > Apple Account (Your Name at top of screen) > Save to iCloud – See All > scroll down > Pass2U > disable.
iPhone > Settings > Apple Account (Your Name at top of screen) > Drive > Apps Syncing to iCloud Drive > scroll down > Pass2U > disable
Some loyalty cards may be backed up to iCloud. Loyalty cards that double as a gift card/payment method are not backed up.
The only way to obtain information stored in iCloud would be for the student to log into your Apple Account and restore their Vison Pro or register their device to your account and initiate a sync.
Change the password to your Apple Account and enable Two Factor Authentication.
If you think your Apple Account has been compromised - Apple Support
That may be what he said he did, but that’s literally impossible. Your data is encrypted and the key to unlock it is entirely different from the key to another account. It’s impossible for the student to access the information without access to the key. The key is accessed from devices logged into your account. If the information was on his device, he had access to the key for your iCloud account. Apple doesn’t store the key or have access to the key.
Be sure and tell them it’s a third party app. Apple Pay and Apple Wallet are not easy to explain to people. Much of what I wrote early on applied only to Apple Wallet. You had not yet disclosed the third party app.
The easy way to check, would be if the student has the third party app data on his iCloud. According to you and the student the cards synced across his devices. M
There’s more testing and information that needs to be ascertained before a definitive conclusion can be made. But Pass2U is definitely a good part of the issue.
Best of luck with everything.
Apple does not store cards in iCloud. It’s a security risk and the banks do not permit it.
It doesn't concern the bankcards but loyalty (barcode) cards in the wallet. And if it is not stored in icloud how come the student gets it synced on his phone after logging out and erasing the Vision Pro?
That’s just it. He logged in with his own iCloud id in the Vision Pro. And then got my wallet card data injected into his account. Which then synced to his phone which also (ofc) was logged in on his iCloud account.
It doesn't concern the bankcards but loyalty (barcode) cards in the wallet. And if it is not stored in icloud how come the student gets it synced on his phone after logging out and erasing the Vision Pro?
I feel like i've not painted the whole picture. Let me explain this via this bullitpoint scenario:
Extra info: The loyalty cards have been added to my wallet through an app called pass4wallet. I have all the necessary security set-up on my AppleID with 2FA and did not get any security e-mail.
So my guess is that some residual data was still left on the AVP and somehow got transferred into the students AppleID.
I know it should be impossible & I have a lot of experience with transferring apple devices and never did anything like this happen. But this was the first time Apple Vision Pro. So knowing this has it's own OS and is fairly new my hypothesis is the one described above.
I want to thank you for the effort you put into replying but i don't think you can be of help to me. Cos what you describe above is not the situation and i feel like you're jumping to conclusions.
So thank you anyways. Apple support is looking into the matter as we speak.
Wallet leak in Vision Pro
