“The researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project,” Thomas Fox-Brewster reports for Forbes. “The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.”
“Apple did eventually patch the flaw, according to Troshichev, which allowed for unlimited username and password guesses on the Find My iPhone software, but it appears the security hole was open long enough for hackers to cause trouble,” Fox-Brewster reports. “Some suspected Troshichev’s iBrute tool was used by those responsible for the celebrity leaks, alongside a number of hacking tools such as Elcomsoft’s Phone Password Breaker and Jack the Ripper.”
Fox-Brewster reports, “But Apple in its infinite opacity has neither confirmed nor denied such claims, simply saying there was no breach of its iCloud or Find My iPhone systems and that the photo leaks were the result of ‘a very targeted attack on user names, passwords and security questions,’ which didn’t rule out use of brute forcing or subsequent account compromises.”
Read more in the full article here.
MacDailyNews Take: As we wrote yesterday:
Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.
[The] idea that Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.
For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)
Apple could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.
Related articles:
The police tool that hackers use to steal nude photos from Apple’s iCloud – September 3, 2014
Apple would benefit from being more transparent about security – September 3, 2014
Douche.
I would have saved the world, but sprained my ankle.
I would have saved the world, but there wasn’t any reward money.
They should arrest him for terrorism of some sort! How hard is it to write a bug report?
It would not be smart to file a bug report in this case because it is a security vulnerability too. The bug reports db is a public access resource, right? And Apple may not pay attention to it anyway.
That’s why those researches or otherwise don’t file it as a bug report and instead try to negotiate some compensation for the time or effort they spent to find it, whether easy or difficult to find.
So, instead of first alerting Apple to the flaw, he creates a program to exploit it, posts it to a public site, then has the gall to say if Apple had rewarded me, I would have said something. Douche indeed.
Really? I’m assuming this has been a long-standing Apple policy. So these guys, who make money finding bugs in software and reporting them to companies, have two options; 1) Stop trying to find bugs in Apple’s software (which will always exist, it’s software after all); or 2) Make money by finding bugs and developing something to exploit the bug and selling that.
The bottom line is Apple could have tons of bug researchers “working” for it, but only pay someone who actually finds something. That’s far less costly than employing an army of bug researchers, and Apple benefits even more because the guys who are likely to search for and find bugs are reporting them to Apple rather than exploiting them.
Where I come from that’s called racketeering. I guess in Russia it’s called “business as usual”
Do we really know if Apple wouldn’t detect a rapid fire brute force attack?
Did anyone actually test this “iBrute”?
Sounds like something that would raise alarm on an IDS.
Apple already said this wasn’t a vector involved in the attack. Hopefully the FBI will be able to weight in on the issue too.
Nothing to do specifically with Russia. It was by far not the first time vulnerability was found and went to public before going to Apple. MDN’s take is correct: finding vulnerabilities should be rewarded.
It’s not racketeering, not under U.S. federal law.
But maybe extortion.
For all of us who have been watching Apple for a long time (i.e. the time before Apple reached the market cap of DELL — that big target with the bulls eye on Steve Jobs’s wall), it is somewhat difficult to adapt to this new reality. Ever since the beginning, until rather recently, Apple was a company like any other tech company when it comes to public profile. Yes, they started getting a lot of traction with the iPods (and the amazing omnipresence of the white earbud cords on mass transit across the world), but even as recently as ten years ago, Apple was still a rather low-profile company with an occasional mention in the media.
Not so today. Apple is the biggest company in the world (by market cap). As such, it strongly attracts media, an what media wants from big companies is juicy salacious stories that can put a black eye on the tech behemoth that Apple has become. The old method of ignoring the stories until they simply go away doesn’t work when you’re big and exposed. This kind of change is difficult to accept even for us observers, and I can imagine how much harder it is for the senior management that never had to deal with this kind of nonsense before.
“Apple is the biggest company in the world”
It now has the worlds biggest media target on their back.
I agree with MDN, it’s time for Apple to change some of their old habits.
What about just being mentioned in the bug fix, then move on to the next?
Honestly, some people are punching way above their weight.
And why should someone spend hours upon hours looking for a bug just to have their name included in a report? How about you do that?
These guys do this to make money, the same as you go to your job to make money. You’re not showing up for free are you?
Look, a lot of people could do something illegal, criminal, or unscrupulous to make money without anyone noticing. But they did not. Because they have principles. Scruples. Morals.
What the hackers did was wrong, plain and simple. It was a crime against the celebrities targeted. It was unscrupulous.
I hope they are caught and see serious jail time.
You are right. What they did was wrong. But that’s not the point.
We can only take it at face value when the hacker stated: [“If I could be compensated for my work, I wouldn’t have made it public.”
Now, he could have done it privately. But we already stipulated thy they exposed this the wrong way.
One can’t argue with the statement that Apple should have, as my company has, a program to compensate individuals that find security vulnerabilities.
Cowards all this hackers ….
Question for the creator brute malware ? Dude what is reason to
Do this ? Face a better way to fix your
Serious issues in live.
I’d like to see him say the same to a Russian company…
Russia is a fascist dictatorship.
Putin is a fascist version of Stalin.
FUD fades away and discredits the perpetuator – pre the dumbdown
APPLE Please STAND STRONG! Never once negotiate with terrorist. Instead investigate and identify these hacker to destroy their illicit activites, destroy them, preferable without involving the “legal system” to achieve justice. Make an example of them.
The author explains the possible point of view expressed by some programmers that programmers be paid for their work instead of free donations to Apple and other software companies. This is called a consultant’s fee.
The free solution may be characterized as community donation. Everybody donates what they can.
What happened. We had a silent standoff. Apple never offered to pay, as far as we know. The consultant-hacker (loosely speaking, no bias inferred) may or may not have spoken to Apple and may or may not have asked for payment.
The story does not pin down what Apple or the thieves did.
Historically, Apple keeps information to itself and independents don’t count.
MDN and others including myself say Apple must change its silent treatment to those who have something to contribute.
If Apple wants to make the best products, then shutting out the best knowledge is flat out the wrong way.
That still doesn’t make it right to publish the attack source as revenge.
If a Apple didn’t want his consulting business he should move on to another company who did.
Consultants don’t go around extorting companies.
It is called: “Taking the high road”.
This hacker took the low road…
Most people in the world think it is wrong. Hopefully the hackers will be found, their names will be displayed prominently over the web, they will face serious jail time. And the world will forget them…
Here let me fix that for you: s/programmers/scum/
Look at the code, do you see any great programming? It’s high school level stuff.
Consultant my stinky, hairy, arse. This is Script kiddy at best.
So, this guy jumped out in front of Apple’s car, and, without asking, begins to FURIOUSLY scrub at the window…. Now wants to get paid for the work they did.
If you want to be a security consultant, BE one and get paid everyday whether you find an exploit or not.
I wonder if “Security Researcher” means tinkering around with computers until mom makes me get a REAL job…”
Which is why Apple should have a program to invite the window washers.
“… Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.”
Well, with that logic it’s perfectly alright for the Mafia to demand extortion money in order to not break your knee caps, rape your wife and shoot your dog.
That wasn’t MDN’s point. It’s not right for the mafia any more than it is for a terrorist, hacker or anyone else who would do wrong unless paid.
However, we’re over here on the other side of this. The question is, do you pay the mafia, negotiate with terrorist, or compensate hackers/researchers?
I would say that you probably do pay the mafia, don’t negotiate with terrorists and do compensate hackers/researchers. Regardless of the first two though, the point is that unlike motivating terrorists to attack again, compensating hacker/researchers doesn’t result in more exploits, it just makes your system/software more secure.
Release software as exploit free as possible. Motivate people to inform you of exploits through compensation. Fix those exploits, and move on. The compensation is trivial whereas acted upon exploits can be devastating.
If he wants money from Apple he should apply for a job there like everyone else.
Hackers aren’t more intelligent than engineers, doctors, scientists, artists or any competent professional who enjoys their job, they just chose to apply their time to find ways to destroy other people’s work.
Why should they be rewarded with large prizes?
Should we start rewarding common criminals too? “Hey I found a way to rob your home – turns one glass windows are easy to break – better send me a couple grand or all my criminal friends will be coming over”
All top tier company who do business on the web employee third party companies who pay money for found weakness and hacks, as well as pay people to try and hack. It would never make sense for the companies to do that kind of work themselves and be open to ransom. 3rd party companies, that every hacker knows, will pay, while the founding comes from their client companies. BTW plenty of stories out there say the NSA is a client company.
And you want to be my latex salesman….. Brute force on find my iPhone ….really?? A company with the wherewithal that Apple has couldn’t figure that one out? Again attention to detail is missed… Wonder what other things will be missed as Apple rolls out their cloud provider services on Tuesday.
Could of been sabatoge by one of Apple’s employees. Maybe said employee received a nice fat paycheck from Samsung, the NSA, the Chinese government, the Russian government or CNBC.
Ty all for the feedback.
In this particular case, the hacker did not do his / her moral best.
In the majority of situations where the people who found the security weaknesses took action, they did so with Apple in a low-key manner.
——————
Regarding getting a job at Apple, its not easy. Obviously, Apple does not hire every skilled person with an appropriate idea. Therein lies the problem. Apple does not hire until it wants to. This has a greater than necessary chance to be a re-active hire as compared to a pro-active hire.
Umm, look at the company behind the curtain. I think I see Samsung. 🙂
Pirates of silicon valley.
Many of you posting to this sire were still in diapers when when Steve and Wozniak had a phone hacking device that they used to call the pope…lol
Apple deserve everything coming to them as the current team are arrogant, self centered, ignorant and these are the guys your now in the future going to trust with your health.
A hole in security is a hole and the sole responsibility of Apple.
Please read the Novel by Robin Cook called Cell a scary view of a possible future technology failure regarding the health kit.
I find it astounding that Apple has not got a Russian team of hackers and researchers. Apple makes 100,000 a minute its not like they cant afford it which points the the most common tech issue geeks with big heads.
And how would you place a value on a security hole?
Hacker says it’s worth $10,000,000. Apple says it’s worth $5,000. The hacker says, no deal and publishes the details and an exploit mechanism. Is it still Apple’s fault for not paying the hacker?
At what point does it really turn into extortion?
Hackers can’t claim White Hat morals and status if they publish the vulnerability and a mechanism to exploit it. If they really want White Hat superiority, they need to never publish the vulnerability and at the very worst just say to Apple, “You now know you have a vulnerability. Go figure out where it is yourself!”
I would say the value is quite a bit more than $ 5000.
Where did u hear $ 5000 ?
“Big Joe” Stalin knew how to deal with these types.
I’m split on this. He claims to have principles, but did the exact opposite anyway. Douche.
Seriously, if this dude was so interested in getting paid for his “work”, then why did he post the exploit on a public forum and not charge for it? Sounds to me like an ego thing, not a “money” thing…
I love this…information and someone else’s private pictures and information are free for you to take and distribute as threat and intimidation unless you get paid for your effort in discovering how to do it. Ethics 101
https://www.coursera.org/course/techethics
“Researcher”, gimme a break, the guy is a scumbag, don’t ever place a label like that on a guy like him, thats incredibly insulting…….