“The researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project,” Thomas Fox-Brewster reports for Forbes. “The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.”
“Apple did eventually patch the flaw, according to Troshichev, which allowed for unlimited username and password guesses on the Find My iPhone software, but it appears the security hole was open long enough for hackers to cause trouble,” Fox-Brewster reports. “Some suspected Troshichev’s iBrute tool was used by those responsible for the celebrity leaks, alongside a number of hacking tools such as Elcomsoft’s Phone Password Breaker and Jack the Ripper.”
Fox-Brewster reports, “But Apple in its infinite opacity has neither confirmed nor denied such claims, simply saying there was no breach of its iCloud or Find My iPhone systems and that the photo leaks were the result of ‘a very targeted attack on user names, passwords and security questions,’ which didn’t rule out use of brute forcing or subsequent account compromises.”
Read more in the full article here.
MacDailyNews Take: As we wrote yesterday:
Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.
[The] idea that Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.
For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)
Apple could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.
The police tool that hackers use to steal nude photos from Apple’s iCloud – September 3, 2014
Apple would benefit from being more transparent about security – September 3, 2014