Creator of iCloud hacker tool: I would have warned Apple if they properly rewarded researchers

“The researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project,” Thomas Fox-Brewster reports for Forbes. “The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.”

“Apple did eventually patch the flaw, according to Troshichev, which allowed for unlimited username and password guesses on the Find My iPhone software, but it appears the security hole was open long enough for hackers to cause trouble,” Fox-Brewster reports. “Some suspected Troshichev’s iBrute tool was used by those responsible for the celebrity leaks, alongside a number of hacking tools such as Elcomsoft’s Phone Password Breaker and Jack the Ripper.”

Fox-Brewster reports, “But Apple in its infinite opacity has neither confirmed nor denied such claims, simply saying there was no breach of its iCloud or Find My iPhone systems and that the photo leaks were the result of ‘a very targeted attack on user names, passwords and security questions,’ which didn’t rule out use of brute forcing or subsequent account compromises.”

Read more in the full article here.

MacDailyNews Take: As we wrote yesterday:

Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.

[The] idea that Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.

For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)

Apple could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.

Related articles:
The police tool that hackers use to steal nude photos from Apple’s iCloud – September 3, 2014
Apple would benefit from being more transparent about security – September 3, 2014


    1. It would not be smart to file a bug report in this case because it is a security vulnerability too. The bug reports db is a public access resource, right? And Apple may not pay attention to it anyway.

      That’s why those researches or otherwise don’t file it as a bug report and instead try to negotiate some compensation for the time or effort they spent to find it, whether easy or difficult to find.

  1. So, instead of first alerting Apple to the flaw, he creates a program to exploit it, posts it to a public site, then has the gall to say if Apple had rewarded me, I would have said something. Douche indeed.

    1. Really? I’m assuming this has been a long-standing Apple policy. So these guys, who make money finding bugs in software and reporting them to companies, have two options; 1) Stop trying to find bugs in Apple’s software (which will always exist, it’s software after all); or 2) Make money by finding bugs and developing something to exploit the bug and selling that.

      The bottom line is Apple could have tons of bug researchers “working” for it, but only pay someone who actually finds something. That’s far less costly than employing an army of bug researchers, and Apple benefits even more because the guys who are likely to search for and find bugs are reporting them to Apple rather than exploiting them.

  2. Where I come from that’s called racketeering. I guess in Russia it’s called “business as usual”

    Do we really know if Apple wouldn’t detect a rapid fire brute force attack?
    Did anyone actually test this “iBrute”?

    Sounds like something that would raise alarm on an IDS.

    Apple already said this wasn’t a vector involved in the attack. Hopefully the FBI will be able to weight in on the issue too.

    1. Nothing to do specifically with Russia. It was by far not the first time vulnerability was found and went to public before going to Apple. MDN’s take is correct: finding vulnerabilities should be rewarded.

  3. For all of us who have been watching Apple for a long time (i.e. the time before Apple reached the market cap of DELL — that big target with the bulls eye on Steve Jobs’s wall), it is somewhat difficult to adapt to this new reality. Ever since the beginning, until rather recently, Apple was a company like any other tech company when it comes to public profile. Yes, they started getting a lot of traction with the iPods (and the amazing omnipresence of the white earbud cords on mass transit across the world), but even as recently as ten years ago, Apple was still a rather low-profile company with an occasional mention in the media.

    Not so today. Apple is the biggest company in the world (by market cap). As such, it strongly attracts media, an what media wants from big companies is juicy salacious stories that can put a black eye on the tech behemoth that Apple has become. The old method of ignoring the stories until they simply go away doesn’t work when you’re big and exposed. This kind of change is difficult to accept even for us observers, and I can imagine how much harder it is for the senior management that never had to deal with this kind of nonsense before.

    1. “Apple is the biggest company in the world”

      It now has the worlds biggest media target on their back.
      I agree with MDN, it’s time for Apple to change some of their old habits.

    1. And why should someone spend hours upon hours looking for a bug just to have their name included in a report? How about you do that?

      These guys do this to make money, the same as you go to your job to make money. You’re not showing up for free are you?

      1. Look, a lot of people could do something illegal, criminal, or unscrupulous to make money without anyone noticing. But they did not. Because they have principles. Scruples. Morals.

        What the hackers did was wrong, plain and simple. It was a crime against the celebrities targeted. It was unscrupulous.

        I hope they are caught and see serious jail time.

        1. You are right. What they did was wrong. But that’s not the point.

          We can only take it at face value when the hacker stated: [“If I could be compensated for my work, I wouldn’t have made it public.”

          Now, he could have done it privately. But we already stipulated thy they exposed this the wrong way.

          One can’t argue with the statement that Apple should have, as my company has, a program to compensate individuals that find security vulnerabilities.

  4. APPLE Please STAND STRONG! Never once negotiate with terrorist. Instead investigate and identify these hacker to destroy their illicit activites, destroy them, preferable without involving the “legal system” to achieve justice. Make an example of them.

  5. The author explains the possible point of view expressed by some programmers that programmers be paid for their work instead of free donations to Apple and other software companies. This is called a consultant’s fee.

    The free solution may be characterized as community donation. Everybody donates what they can.

    What happened. We had a silent standoff. Apple never offered to pay, as far as we know. The consultant-hacker (loosely speaking, no bias inferred) may or may not have spoken to Apple and may or may not have asked for payment.

    The story does not pin down what Apple or the thieves did.

    Historically, Apple keeps information to itself and independents don’t count.

    MDN and others including myself say Apple must change its silent treatment to those who have something to contribute.

    If Apple wants to make the best products, then shutting out the best knowledge is flat out the wrong way.

    1. That still doesn’t make it right to publish the attack source as revenge.

      If a Apple didn’t want his consulting business he should move on to another company who did.

      Consultants don’t go around extorting companies.

      1. It is called: “Taking the high road”.
        This hacker took the low road…

        Most people in the world think it is wrong. Hopefully the hackers will be found, their names will be displayed prominently over the web, they will face serious jail time. And the world will forget them…

    2. Here let me fix that for you: s/programmers/scum/

      Look at the code, do you see any great programming? It’s high school level stuff.

      Consultant my stinky, hairy, arse. This is Script kiddy at best.

    3. So, this guy jumped out in front of Apple’s car, and, without asking, begins to FURIOUSLY scrub at the window…. Now wants to get paid for the work they did.

      If you want to be a security consultant, BE one and get paid everyday whether you find an exploit or not.

      I wonder if “Security Researcher” means tinkering around with computers until mom makes me get a REAL job…”

  6. “… Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.”

    Well, with that logic it’s perfectly alright for the Mafia to demand extortion money in order to not break your knee caps, rape your wife and shoot your dog.

    1. That wasn’t MDN’s point. It’s not right for the mafia any more than it is for a terrorist, hacker or anyone else who would do wrong unless paid.

      However, we’re over here on the other side of this. The question is, do you pay the mafia, negotiate with terrorist, or compensate hackers/researchers?

      I would say that you probably do pay the mafia, don’t negotiate with terrorists and do compensate hackers/researchers. Regardless of the first two though, the point is that unlike motivating terrorists to attack again, compensating hacker/researchers doesn’t result in more exploits, it just makes your system/software more secure.

      Release software as exploit free as possible. Motivate people to inform you of exploits through compensation. Fix those exploits, and move on. The compensation is trivial whereas acted upon exploits can be devastating.

  7. If he wants money from Apple he should apply for a job there like everyone else.

    Hackers aren’t more intelligent than engineers, doctors, scientists, artists or any competent professional who enjoys their job, they just chose to apply their time to find ways to destroy other people’s work.

    Why should they be rewarded with large prizes?

    Should we start rewarding common criminals too? “Hey I found a way to rob your home – turns one glass windows are easy to break – better send me a couple grand or all my criminal friends will be coming over”

  8. All top tier company who do business on the web employee third party companies who pay money for found weakness and hacks, as well as pay people to try and hack. It would never make sense for the companies to do that kind of work themselves and be open to ransom. 3rd party companies, that every hacker knows, will pay, while the founding comes from their client companies. BTW plenty of stories out there say the NSA is a client company.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.