Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

Re:Exploited in real life?

[ruir]

Apple swears the iCloud fiasco was due to a long running phishing campaign and not the iCloud bug. Maybe it is true, I do remember last year receiving weeks in a row in my gmail account phishing stating my "Apple account was to be cancelled, and I need to...". The emails appeared to really to be the real thing except for the headers. My own family called me to ask if such emails where legit; so I would not be surprised non-technical people and not that smart people have fallen for such schemes. This, coupled to the fact there is no need to access iCloud once you have got the password...you dont even need special software or "law enforcement" software, you just go to icloud.com, and watch the iCloud photo stream. Which comes activated by default with every iPhone, and is a pain in the ass, because once you are in whatever kind of wifi after taking photos, it starts to synchronise. In many parts of the world in holidays with limited wifi it will kill your ability to use the wifi until all the photos are in sync. And about deleted photos appearing, I bet many deleted them locally in the iPhone, but forget to delete them in iCloud. So no hi tech there, just people being dumb people, as usual.

Re:Not Brute Force

[aardvarkjoe]

20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

I find it hard to believe anyone was actually vulnerable to this.

While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.