Creator of iCloud hacker tool: I would have warned Apple if they properly rewarded researchers

“The researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project,” Thomas Fox-Brewster reports for Forbes. “The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.”

“Apple did eventually patch the flaw, according to Troshichev, which allowed for unlimited username and password guesses on the Find My iPhone software, but it appears the security hole was open long enough for hackers to cause trouble,” Fox-Brewster reports. “Some suspected Troshichev’s iBrute tool was used by those responsible for the celebrity leaks, alongside a number of hacking tools such as Elcomsoft’s Phone Password Breaker and Jack the Ripper.”

Fox-Brewster reports, “But Apple in its infinite opacity has neither confirmed nor denied such claims, simply saying there was no breach of its iCloud or Find My iPhone systems and that the photo leaks were the result of ‘a very targeted attack on user names, passwords and security questions,’ which didn’t rule out use of brute forcing or subsequent account compromises.”

Read more in the full article here.

MacDailyNews Take: As we wrote yesterday:

Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.

[The] idea that Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.

For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)

Apple could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.

Related articles:
The police tool that hackers use to steal nude photos from Apple’s iCloud – September 3, 2014
Apple would benefit from being more transparent about security – September 3, 2014

48 Comments

    1. It would not be smart to file a bug report in this case because it is a security vulnerability too. The bug reports db is a public access resource, right? And Apple may not pay attention to it anyway.

      That’s why those researches or otherwise don’t file it as a bug report and instead try to negotiate some compensation for the time or effort they spent to find it, whether easy or difficult to find.

  1. So, instead of first alerting Apple to the flaw, he creates a program to exploit it, posts it to a public site, then has the gall to say if Apple had rewarded me, I would have said something. Douche indeed.

    1. Really? I’m assuming this has been a long-standing Apple policy. So these guys, who make money finding bugs in software and reporting them to companies, have two options; 1) Stop trying to find bugs in Apple’s software (which will always exist, it’s software after all); or 2) Make money by finding bugs and developing something to exploit the bug and selling that.

      The bottom line is Apple could have tons of bug researchers “working” for it, but only pay someone who actually finds something. That’s far less costly than employing an army of bug researchers, and Apple benefits even more because the guys who are likely to search for and find bugs are reporting them to Apple rather than exploiting them.

  2. Where I come from that’s called racketeering. I guess in Russia it’s called “business as usual”

    Do we really know if Apple wouldn’t detect a rapid fire brute force attack?
    Did anyone actually test this “iBrute”?

    Sounds like something that would raise alarm on an IDS.

    Apple already said this wasn’t a vector involved in the attack. Hopefully the FBI will be able to weight in on the issue too.

    1. Nothing to do specifically with Russia. It was by far not the first time vulnerability was found and went to public before going to Apple. MDN’s take is correct: finding vulnerabilities should be rewarded.

  3. For all of us who have been watching Apple for a long time (i.e. the time before Apple reached the market cap of DELL — that big target with the bulls eye on Steve Jobs’s wall), it is somewhat difficult to adapt to this new reality. Ever since the beginning, until rather recently, Apple was a company like any other tech company when it comes to public profile. Yes, they started getting a lot of traction with the iPods (and the amazing omnipresence of the white earbud cords on mass transit across the world), but even as recently as ten years ago, Apple was still a rather low-profile company with an occasional mention in the media.

    Not so today. Apple is the biggest company in the world (by market cap). As such, it strongly attracts media, an what media wants from big companies is juicy salacious stories that can put a black eye on the tech behemoth that Apple has become. The old method of ignoring the stories until they simply go away doesn’t work when you’re big and exposed. This kind of change is difficult to accept even for us observers, and I can imagine how much harder it is for the senior management that never had to deal with this kind of nonsense before.

    1. “Apple is the biggest company in the world”

      It now has the worlds biggest media target on their back.
      I agree with MDN, it’s time for Apple to change some of their old habits.

    1. And why should someone spend hours upon hours looking for a bug just to have their name included in a report? How about you do that?

      These guys do this to make money, the same as you go to your job to make money. You’re not showing up for free are you?

      1. Look, a lot of people could do something illegal, criminal, or unscrupulous to make money without anyone noticing. But they did not. Because they have principles. Scruples. Morals.

        What the hackers did was wrong, plain and simple. It was a crime against the celebrities targeted. It was unscrupulous.

        I hope they are caught and see serious jail time.

        1. You are right. What they did was wrong. But that’s not the point.

          We can only take it at face value when the hacker stated: [“If I could be compensated for my work, I wouldn’t have made it public.”

          Now, he could have done it privately. But we already stipulated thy they exposed this the wrong way.

          One can’t argue with the statement that Apple should have, as my company has, a program to compensate individuals that find security vulnerabilities.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.