A new tool recently submitted to GitHub can allegedly perform password dictionary attacks on iCloud accounts, without being detected by Apple’s brute-force protections that are supposed to prevent such attacks.
The sourcecode for the tool has been released onto GitHub. Upon inspection, the tool is really rather crude in its complexity. It simply tries every possible word in its 500-long word-list as the password for a given iCloud account email. This means whilst it will succeed “100%” at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password.
Apple said in September of last year that it had closed a hole that allowed such attacks to occur.
Any password that is not included in the dictionary is safe from the tool. However, as many users do use standard words that can be found in a dictionary as their password, such vulnerabilities are important to fix. Hackers that have the resources to use a substantially larger list, which could contain non-dictionary words, could use the technique with the larger word lists.
9to5Mac reports the hack appears to rely on its pretending to be an iPhone. Apparently Apple’s servers allow these types of requests from an iPhone without locking the account after numerous login requests.
The GitHub user who posted it, “@Pr0x13,” said he did so to let Apple know about the hole:
“This bug is painfully obvious and was only a matter of time before it was
privately used for malicious or nefarious activities, I publicly disclosed it so apple will patch it.”
A number of celebrities had their iCloud account information stolen in August 2014, resulting in the posting of thousands of nude and revealing photos online.