Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

Posted by samzenpus on from the heads-up dept.

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

6 of 93 comments (clear)

  1. celebgate by Anonymous Coward · · Score: 3, Informative

    apple really screwed the pooch with celebgate. protecting against brute force attacks is like security 101

    1. Re:celebgate by Lunix+Nutcase · · Score: 3, Informative

      The Fappening.

  2. Re:Exploited in real life? by ruir · · Score: 4, Informative

    Apple swears the iCloud fiasco was due to a long running phishing campaign and not the iCloud bug. Maybe it is true, I do remember last year receiving weeks in a row in my gmail account phishing stating my "Apple account was to be cancelled, and I need to...". The emails appeared to really to be the real thing except for the headers. My own family called me to ask if such emails where legit; so I would not be surprised non-technical people and not that smart people have fallen for such schemes. This, coupled to the fact there is no need to access iCloud once you have got the password...you dont even need special software or "law enforcement" software, you just go to icloud.com, and watch the iCloud photo stream. Which comes activated by default with every iPhone, and is a pain in the ass, because once you are in whatever kind of wifi after taking photos, it starts to synchronise. In many parts of the world in holidays with limited wifi it will kill your ability to use the wifi until all the photos are in sync. And about deleted photos appearing, I bet many deleted them locally in the iPhone, but forget to delete them in iCloud. So no hi tech there, just people being dumb people, as usual.

  3. Re:ONE MORE THING... by sexconker · · Score: 3, Informative

    Create an anonymous Twitter account and start tweeting details and mentioning @Apple . Partially redact them, if you want.
    The only way to get attention from a major corporation is to make a big public stink.

  4. Re:Not Brute Force by aardvarkjoe · · Score: 5, Informative

    20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

    I find it hard to believe anyone was actually vulnerable to this.

    While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  5. Re:Exploited in real life? by AmiMoJo · · Score: 3, Informative

    There are forum posts detailing how it was done and offering to do it if people can supply email addresses. It worked by brute forcing passwords, which for celebs isn't hard because you can find the name of their boyfriend or pet with Google. Then software from Elcomsoft was used to download the data from icloud, including deleted images that were in old backups etc.

    Expect it all to be spelled out in detail in the inevitable lawsuits. It will be interesting to see what the dignity of a celebrity is worth.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC