iCloud accounts at risk after hacker releases tool allowing access to any login

“All iCloud accounts could be vulnerable to hacking by a new tool that claims it can break into any user’s login,” Andrew Griffin reports for The Independent. “The tool claims to use an exploit to get through Apple’s security.”

“It uses a ‘dictionary attack’ to get into accounts — a hack that involves automatically trying a number of passwords until the right one is found. Sites usually have locks in place to stop such an attack, by only allowing a certain number of tries of one password, but the tool claims to be able to bypass those,” Griffin reports. “A number of posters on Twitter and Reddit claimed to have used the tool successfully.”

“If it does work, setting up two-step verification — which requires users to enter a code sent to their phone — could keep such an attack at bay,” Griffin reports. “The creator of the tool said that they had released the ‘so Apple will patch it.’ But other security activists criticised the leak, and said that the user, who calls themselves pr0x13, should have informed Apple of the problem… iCloud vulnerabilities were also thought to be used to steal hundreds of leaked pictures of celebrities in what was called ‘The Fappening,’ in August and September.”

Read more in the full article here.

35 Comments

  1. Every day some other bad Apple news. Lawsuits, hacks, just relentless attacks. Little wonder AAPL cannot get any traction despite analysts high ratings. Takes guts to hang on to AAPL.

      1. Agreed.

        Speaking of guts, I lost my nerve around thanksgiving, though. I tripled my money, so I sold 2/3 of my AAPL position.

        It isn’t that I don’t have faith in Apple. On the contrary, I know they’ll keep doing amazing things, I know Apple Pay will be successful, and I know the Apple Watch will probably be like the iPod and iPhone (meaning it will be wildly successful in spite of my personal feelings about it). What I don’t have faith in is the market. I think Wall Street will eventually fail to recognize and reward Apple for their competency and resultant successes. Some shiny object will come along and distract people. I hope I’m wrong.

    1. Don’t fret, whore street analysts and jouranalists are working it hard so that Apple will be getting bad news every few hours.

      Yeah sure it takes guts to hang on to AAPL, but hey can you imagine what it takes to be a whore street analyst or jouranalist?

  2. I think Apple has a huge team of people doing their own hacking on all of Apple’s software and hardware as a part of their huge security efforts.

    That is no doubt why 2 factor authentication was set up. Even if you close the fault the hacker found, there will be another method found (looking over someone’s shoulder?.) Hence, Apple provides an easy 2 step method.

    The real question today is why people choose not to use 2 factor authentication? Awareness is key. Maybe Apple ought to put out their own video on the issues (I haven’t heard of one.)

    1. 2 factor requires your cell phone, right? So if I don’t have my cell phone on my for any reason, I’m locked out of my account. That’s bad enough for me to avoid using 2 factor authentication.

      If I lose my phone now, the first thing I would want to do is log in to iCloud.com and use Find My iPhone to locate it, and possibly lock it down in “stolen” mode. But if I have 2 factor authentication, that wouldn’t work! I wouldn’t be able to get past iCloud’s login screen!

      Losing a cell phone has enough problems as is – trying to find it, worrying about lost or stolen data, spending money buying a new phone, giving a new phone number to all my friends and relatives. I don’t want to add “locked out of my email and other online accounts” to that already too long list of problems. Screw that “feature”.

      1. Like Bo said, “Awareness is key.”

        If all you’re concerned about is your iPhone with iCloud, you’ll have no problem with a new iPhone.

        If you’re concerned about your Mac, if your iPhone is lost, you’ll have no problem continuing to use your Mac.

        If you’re concerned about losing both your Mac and your iPhone and being locked out if you can only get a new Mac, but not a new iPhone, you can still do the 2nd authentication either by:
        1) Setting up another device you have as a trusted device.
        2) Setting a trusted friend/family member’s phone as a trusted device and getting the code from them when needed.

        If you have no other trusted device, and you never set up a trusted friend or family member… you can still get into your account with the second backup passcode.

        1. Thanks for your reply. I am really curious about 2 factor, even though I remain skeptical about it.

          You suggestions work in some situations, but I still think they have problems. Setting up backup authenticated devices opens my account up to other vectors of getting hacked (through the new authenticated devices), it’s time consuming, and still would not help in many lost phone situations. If my phone gets lost, timing is critical, because Find My iPhone only really works while the phone has battery life and thieves can move quickly. I could lose my phone while being many miles away from other authenticated device – it would absolutely suck if I had to fly back home to get to an authenticated device before I could locate or lock down a lost phone.

          And having a second backup password – how’s that better than having a primary password? Same problems: would have to be either simple enough for me to memorize or be written down somewhere, and it could possibly get cracked or phished or forgotten or lost like any other password. That just seems to combine the inconvenience of 2 factor authentication with all the security issues of using a password.

          1. Kayan…Two factor authentication is not needed to use Find my iPhone. It’s only required to use the rest of the iCloud services. That means that if you lose your iPhone, you don’t need a trusted device or a key of any kind to locate the lost phone.

          2. Thanks for your reply.

            No problem, here’s more info:

            Setting up backup authenticated devices opens my account up to other vectors of getting hacked (through the new authenticated devices)

            No, it doesn’t. All the authenticated device does is allow you authorize a log in attempt on another new device. It can’t log you in itself.

            Suppose you ask your girlfriend to have her iPhone be a trusted device. Then, you have a horrible break up, and you forget that her iPhone was a trusted device. She can’t do anything with her iPhone in regards to your account other than see the authentication code when a log in attempt is made on a new device and her phone is selected to receive the authentication code.

            Now, it may be that she’s trying to log in to your account, and her receiving the authentication code is bad, but if you had two-factor turned off, she wouldn’t need the code anyway, and further, you wouldn’t get notified that she was trying to break into your account.

            it’s time consuming

            Not really, it only comes up with a new device that hasn’t been trusted yet and you just need to quickly enter the authorization code. Literally, it’s a few seconds when you get a new device.

            …Find my iPhone…
            Nope, just log in from any device, trusted or not.

            And having a second backup password – how’s that better than having a primary password?

            Simple… the second backup password is inherently a strong password that is generated for you. It prevents someone from guessing into your account or brute forcing into your account. Sure, it would be more secure without that possibility, but it greatly increases security while also providing an alternative method for getting back into your account as a backup.

            And yes, you can write it down somewhere… keep it in your wallet or whatever. You can’t just use the backup password to get into your account.

      2. When you set up two factor authentication you’re given a key, which can be used to log into your account should you forget your password or lose one of your authorization devices (I have two; my iPad and my iPhone)

  3. Downloaded and installed this just to poke around to see what it actually does. It’s a slick little tool, but it shouldn’t be too hard for Apple to patch. The wordlist provided isn’t nearly big enough to actually be effective. I imagine it was just included as an example.

    1. Many have already pointed out this “vulnerability” in iCloud before, and Apple keeps denying that it’s a real problem. I understand both points of view, and I’m leaning toward agreeing with Apple.

      The only way this “exploit” really works is if you have a really stupid and very insecure password to begin with.

      I downloaded and tested this tool, and it failed to crack my password. As Elmo Blatch posted before, the wordlist provided with it was too limited to make it very effective out of the box.

      Adding a bigger wordlist would make this tool more effective, but not effective enough to be a serious issue in my view. iCloud passwords must be at least 8 characters long (and there’s other restrictions too) – making hundreds of billions of possible minimum length password. An exhaustive brute force attack based on just the minimum password restrictions would take hours, and surely would get your IP address blocked by iCloud servers before matching any relatively secure password.

      So basically, as long as your password is unique enough to not appear in a list of commonly used passwords (sound advice for any password) this “vulnerability” won’t work on your account.

      1. There’s a wordlist that you can torrent that hovers around 60GB. Imagine how many word/number/special character combinations exist in a 60GB text file. If I didn’t have two-factor enabled, it would be a legitimate area of concern.

          1. Was thinking kind of the same thing at first: this text file could (according rough calculation) contain about a trillion unique passwords, but a very simple computer could easily beat that by generating an unlimited number of unique passwords.

            But there are some potential advantages to the gigantic password list: it could be populated with real world passwords stolen from many different data breaches, and it could be sorted by common usage, making it more effective than computer generated passwords. It really depends on how much quality and effort went into maintaining such a list.

            I still don’t think my iCloud password could be cracked with such a list, but I can’t totally discount that possibility that other relatively secure iCloud passwords might, as many people reuse passwords or just go through similar thought processes when creating passwords.

            1. That’s the point of word lists. Most people use passwords like “password” or “winter2014”. These wordlists are designed to take down the lowest common denominator passwords that the majority of people use. Obviously most people that are even slightly security conscious, wouldn’t be vulnerable to these wordlist attacks. iClouds auto-generated passwords are a good example of random passwords that aren’t very vulnerable. The only problem with them is the number of websites that still don’t allow dashes in passwords. Effectively making iClouds auto-generated passwords unusable for a lot of online activity.

      2. I always have to give the annoying news that people need to change their passwords to something more difficult. I’ve seen so many stupid 1 word passwords like “beautiful” I could scream. When I set up a new computer for someone I force them to have better passwords and have an admin side.

    1. Totally agree. I have never bought into the cloud BS. I will decide what I want to store and where I want to store it. Far away from prying eyes. I don’t want all my devices to be AUTO-SYNC-SLAVES. My storage requirements are different for all my Apple devices because of different needs, personal and professional, et al. I guess that it too difficult to understand for the one size fits all crowd.

    1. The word list is not what is important, it is just an example.

      If there is an exploit that lets you cycle through a list without locking out the account, then creating a larger list is not that hard.

      1. Seems to me that Apple should consider locking the account for a period of say, two hours, after a relatively small number of incorrect password entries.

        How large would an expanded list of passwords have to be (or randomly created passwords) before it includes my 9-character alphanumeric password, given that case makes a difference? Really, really large! Needless to say, my password isn’t “password1” (or any permutation of it).

        1. That list would have to be over one hundred trillion passwords long. (9-character alphanumeric is pretty darn secure.)

          I think Apple might start automatically locking out iCloud logins after too many wrong guesses now. Not because this tool is necessarily that great at cracking iCloud passwords, but because of the flood of incorrect password guesses from this tool could slow their servers down.

          1. That’s the primary exploit here. Apple’s servers don’t currently lock an account or block an IP after a specified number of incorrect attempts. They just let keep trying and trying. It’s a simple fix, that they should be able to implement rather quickly.

            1. Yeh, do it quickly before I have to change my always longer than 14 character PW. For critical info use 3 non-cloud backups with one off site. Back in the late 1980s when modems were S-O–S-L-O-W, we used a BERETTA NET. Took a Syquest Cartridge out to the old blue Beretta in the parking lot and drove the files across town. A Hacker-Free solution that got us out of the office.

  4. My password is a 9-character alphanumeric version of an unlikely word. It’s highly unlikely any exploit that uses any reasonable dictionary would guess it.
    Maybe one that can parse the entire Oxford English Dictionary with every alphanumeric combination of every word might stand a chance.

  5. Again, pure panic mongering.

    We discussed the security topic long time ago when Jennifers privacy became public… And we all know that your password is the key when it comes to privacy!

    It’s not the Cloud that can be “hacked”
    It is just about passwords that can be guessed.

    And this is not an Apple issue. It is a general lack of awareness !

    Focus on what Non-Apple users are facing when it comes to security and privacy (Windows & Google) OMG, thats a nightmare.
    Come on, this is not about “religiously defending your ecosystem”. These are just the facts, dude.

    HINT:
    Use characters, upper and lower case, also numbers and special characters.
    Avoid words or names or your birthday!

    And do not believe every word somebody tells you, especially not the established media or even the all-the -time-around-got-nothing-better-to-do-forum-trolls.
    Guess what, most of them do not even own a Mac.
    They just cannot withstand the coolness of Mac users.

    So now trolls, it is your turn to show your fierce face.

    But do not forget, if you cannot really proof it you better get lost 😉

    1. “Again, pure panic mongering.”

      Agreed. The headline is dishonest. A better headline would have been “Hackers release tool to ease brute force guessing of iCloud passwords.”

  6. Anyone using a password that can be cracked by a modern dictionary attack doesn’t understand the word ‘random’ or the point of having passwords.

    IOW: Never use anything coherent, including 1337-speak, as a password. Apple offers free random password suggestions in OS X for a reason.

Leave a Reply to Michael Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.