Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

Posted by samzenpus on from the heads-up dept.

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

5 of 93 comments (clear)

  1. Re:Not Brute Force by Anonymous Coward · · Score: 4, Insightful

    I'd say 20,000 attempts is plenty. There have been enough leaks of real passwords from all over the web to compile an extremely accurate list of 20k of the most used passwords. Unless you are computer literate and security concious enough to use a unique, randomly generated password for everything there is a fair chance you've used one of the 20k passwords for something.

  2. Re:Not Brute Force by MatthiasF · · Score: 4, Insightful

    Or just grab a list from one of those studies of stolen passwords and sort by most used password.

    Pretty sure one of the top 20,000 passwords on those lists will get you into 80% of the accounts out there.

  3. Re:celebgate by Fwipp · · Score: 3, Insightful

    Yeah, those stupid celebrities. Why, I'll bet they keep their money in the bank, protected only by a PIN or online password! And park their cars *outside* some times, where anyone passing by could steal it. Heck, even their homes and loved ones are protected by little more than a simple series of alarm/gate codes. They're *definitely* primarily responsible for when criminals target them for deliberate harm.

    P.S: 's/where/were/g'

  4. Re:celebgate by Anonymous Coward · · Score: 5, Insightful

    Are you an iDiot or an iFan?

    My bank allows only five mistakes before locking my account or swallowing my card. I have insurance for my car. If someone steals it (and it happened to me once), it's just a minor annoyance. As for my house, even if it's only a lock and an alarm, the moment the alarm goes off, I'll first get a call from ADT, then the police will come to check it out if I don't answer (most alarm companies here pay the local police to treat their call as a priority call).

    As the OP said, protecting against brute force attack is basic security. This is another major screw up from Apple.

  5. Re:Not Brute Force by Eythian · · Score: 5, Insightful

    Probably he stopped there. It's enough to be fairly sure there's no brute force protection in place.