“The researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project,” Thomas Fox-Brewster reports for Forbes. “The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.”
“Apple did eventually patch the flaw, according to Troshichev, which allowed for unlimited username and password guesses on the Find My iPhone software, but it appears the security hole was open long enough for hackers to cause trouble,” Fox-Brewster reports. “Some suspected Troshichev’s iBrute tool was used by those responsible for the celebrity leaks, alongside a number of hacking tools such as Elcomsoft’s Phone Password Breaker and Jack the Ripper.”
Fox-Brewster reports, “But Apple in its infinite opacity has neither confirmed nor denied such claims, simply saying there was no breach of its iCloud or Find My iPhone systems and that the photo leaks were the result of ‘a very targeted attack on user names, passwords and security questions,’ which didn’t rule out use of brute forcing or subsequent account compromises.”
Read more in the full article here.
MacDailyNews Take: As we wrote yesterday:
Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.
[The] idea that Apple should compensate hackers and security researchers for finding and reporting bugs to Apple is proven and sound.
For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)
Apple could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.
Related articles:
The police tool that hackers use to steal nude photos from Apple’s iCloud – September 3, 2014
Apple would benefit from being more transparent about security – September 3, 2014
This hacker wants to be viewed as a white hat, while claiming if only Apple paid me to be a grey hat, while acting as a black hat.
Hackers have and play a very important role in software. White hats hone the skill and seek the community recognition for their skills. Grey hats work, directly or indirectly, for the security firms. Seeking bucks and recognition. To often their egos want the press and they straddle the lines. Black hats seek to reek mayhem via their exploits.
Apple and all other software firms constantly work to improve the security of their software by engaging with hackers. The white hat protocol is to inform a firm and provide a window of time allowing for them to affect a patch and then go public. Usually 30 days is the window. After that going public is the only leverage that forces companies to patch their software. And the white hat hacker gains cred for finding the bug and if the company takes security seriously no harm to the public occurs.
I’m sorry but acting as a black hat hacker and saying if only “they” rewarded me I’d be a better person is plain old bullshit.
The hacker is right. And so is the MDN Take. I mean, how could Apple not think of blocking the login after several wrong passwords. That is really shameful. And why does Apple not reward people who find security holes? Really! I love Apple but please stop being so ignorant and arrogant!
Most of these comments are gibberish, or at best just adolescents blurting out whatever pops into their heads. There are a few that try to make sense of the argument – whether to pay Russians to hack your systems instead of waiting for them to simply steal your money or reputation.
There are bribes and ransom being paid all over the world by corporations (remember the Somali pirate payment drops from company airplanes?) so why not get some smart hackers on incentives to notify Apple of security holes? It’s a win-win.
A couple comments:
1) We know the naughty naked pictures went as far back as 2011, indicating that iBrute is NOT implicated in grabbing all the images. But it certainly could have allowed stealing some.
2) The ‘reward’ for providing ANY company with security research findings is simply putting their name into the CVE report. THE END. Expecting a ‘bounty’ is ridiculous and unprofessional. It’s something some kid in Russia would expect, seeing as everything over there is based on bribery and other crimes.
IOW: STFU Alexey Troshichev. You’re just another egotistical cracker / black hat. Hacking need not be a dickhead’s profession.