Creator of iCloud hacker tool: I would have warned Apple if they properly rewarded researchers

“The researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project,” Thomas Fox-Brewster reports for Forbes. “The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.”

“Apple did eventually patch the flaw, according to Troshichev, which allowed for unlimited username and password guesses on the Find My iPhone software, but it appears the security hole was open long enough for hackers to cause trouble,” Fox-Brewster reports. “Some suspected Troshichev’s iBrute tool was used by those responsible for the celebrity leaks, alongside a number of hacking tools such as Elcomsoft’s Phone Password Breaker and Jack the Ripper.”

Fox-Brewster reports, “But Apple in its infinite opacity has neither confirmed nor denied such claims, simply saying there was no breach of its iCloud or Find My iPhone systems and that the photo leaks were the result of ‘a very targeted attack on user names, passwords and security questions,’ which didn’t rule out use of brute forcing or subsequent account compromises.”

Read more in the full article here.

MacDailyNews Take: As we wrote yesterday:

Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.

[The] idea that Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.

For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)

Apple could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.

Related articles:
The police tool that hackers use to steal nude photos from Apple’s iCloud – September 3, 2014
Apple would benefit from being more transparent about security – September 3, 2014

48 Comments

  1. And you want to be my latex salesman….. Brute force on find my iPhone ….really?? A company with the wherewithal that Apple has couldn’t figure that one out? Again attention to detail is missed… Wonder what other things will be missed as Apple rolls out their cloud provider services on Tuesday.

    1. Could of been sabatoge by one of Apple’s employees. Maybe said employee received a nice fat paycheck from Samsung, the NSA, the Chinese government, the Russian government or CNBC.

  2. Ty all for the feedback.

    In this particular case, the hacker did not do his / her moral best.

    In the majority of situations where the people who found the security weaknesses took action, they did so with Apple in a low-key manner.

    ——————

    Regarding getting a job at Apple, its not easy. Obviously, Apple does not hire every skilled person with an appropriate idea. Therein lies the problem. Apple does not hire until it wants to. This has a greater than necessary chance to be a re-active hire as compared to a pro-active hire.

  3. Pirates of silicon valley.

    Many of you posting to this sire were still in diapers when when Steve and Wozniak had a phone hacking device that they used to call the pope…lol

    Apple deserve everything coming to them as the current team are arrogant, self centered, ignorant and these are the guys your now in the future going to trust with your health.

    A hole in security is a hole and the sole responsibility of Apple.

    Please read the Novel by Robin Cook called Cell a scary view of a possible future technology failure regarding the health kit.

    I find it astounding that Apple has not got a Russian team of hackers and researchers. Apple makes 100,000 a minute its not like they cant afford it which points the the most common tech issue geeks with big heads.

  4. And how would you place a value on a security hole?

    Hacker says it’s worth $10,000,000. Apple says it’s worth $5,000. The hacker says, no deal and publishes the details and an exploit mechanism. Is it still Apple’s fault for not paying the hacker?

    At what point does it really turn into extortion?

    Hackers can’t claim White Hat morals and status if they publish the vulnerability and a mechanism to exploit it. If they really want White Hat superiority, they need to never publish the vulnerability and at the very worst just say to Apple, “You now know you have a vulnerability. Go figure out where it is yourself!”

  5. Seriously, if this dude was so interested in getting paid for his “work”, then why did he post the exploit on a public forum and not charge for it? Sounds to me like an ego thing, not a “money” thing…

  6. This hacker wants to be viewed as a white hat, while claiming if only Apple paid me to be a grey hat, while acting as a black hat.

    Hackers have and play a very important role in software. White hats hone the skill and seek the community recognition for their skills. Grey hats work, directly or indirectly, for the security firms. Seeking bucks and recognition. To often their egos want the press and they straddle the lines. Black hats seek to reek mayhem via their exploits.

    Apple and all other software firms constantly work to improve the security of their software by engaging with hackers. The white hat protocol is to inform a firm and provide a window of time allowing for them to affect a patch and then go public. Usually 30 days is the window. After that going public is the only leverage that forces companies to patch their software. And the white hat hacker gains cred for finding the bug and if the company takes security seriously no harm to the public occurs.

    I’m sorry but acting as a black hat hacker and saying if only “they” rewarded me I’d be a better person is plain old bullshit.

  7. The hacker is right. And so is the MDN Take. I mean, how could Apple not think of blocking the login after several wrong passwords. That is really shameful. And why does Apple not reward people who find security holes? Really! I love Apple but please stop being so ignorant and arrogant!

  8. Most of these comments are gibberish, or at best just adolescents blurting out whatever pops into their heads. There are a few that try to make sense of the argument – whether to pay Russians to hack your systems instead of waiting for them to simply steal your money or reputation.
    There are bribes and ransom being paid all over the world by corporations (remember the Somali pirate payment drops from company airplanes?) so why not get some smart hackers on incentives to notify Apple of security holes? It’s a win-win.

  9. A couple comments:

    1) We know the naughty naked pictures went as far back as 2011, indicating that iBrute is NOT implicated in grabbing all the images. But it certainly could have allowed stealing some.

    2) The ‘reward’ for providing ANY company with security research findings is simply putting their name into the CVE report. THE END. Expecting a ‘bounty’ is ridiculous and unprofessional. It’s something some kid in Russia would expect, seeing as everything over there is based on bribery and other crimes.

    IOW: STFU Alexey Troshichev. You’re just another egotistical cracker / black hat. Hacking need not be a dickhead’s profession.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.