Slashdot Mirror
Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March
blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.
Has anyone actually shown that this was exploited by anyone?
Don't forget their newest phones that bend. Oh and that great update that removes all phone functionality.
I live in the U.S. When I go to Check Order Status in my Apple on-line account (store.apple.com), I find hundreds of orders, none of which are mine, coming from all over Western Europe, dating back to July of this year. I see the items ordered, order numbers, mailing and shipping addresses and e-mail information for them all. I can track shipments, but I can't cancel orders.
I can tell you the iPhone 5s is still being order in significant quantities, but the iPhone 6 and 6 Plus orders are vastly greater and roughly equal in number, particularly for bulk orders.
I called Apple about this problem immediately, when I first found out about it, after having received a suspicious e-mail from Apple inquiring about my on-line store experience written in French. After calling two more times and seemingly wasting all of those hours talking with Apple representatives, nothing has changed. More orders just keep showing up in my on-line account. I changed my password right away and already had 2-factor authentication in place. No change. The last Apple rep said they would call me back the next day but never did. There seem to be many layers of escalation and every time I called, the time difference between the U.S. and Europe was claimed to be an impediment. The Apple reps could never see the order information either--I always had to read them examples of order numbers over the phone. A brain-dead support system.
"Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account."
20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.
I find it hard to believe anyone was actually vulnerable to this.
I was helping someone with their forgotten iCloud password and we tried a few dozen variations. My incorrect guess was that instead of telling me to go to hell that it was playing some odd game such as letting me try passwords by ignoring me to waste my time.
It simply never occurred to me that this was a gianormous security hole staring me in the face. What exactly is happening at Apple, there is Bentgazi, iOS 8 killing iPhone 4s and iPhone 5, iOS 8.0.1 killing iPhone 6, apparently a last minute screen switch away from sapphire, plus many subtle other things such as it doesn't seem like they are using liquid steel in their cases, and the whole U2 spam crap, which it turns out they wrote a massive cheque to U2 for. Then there is the collective yawn over the iWatch. But worst of all is the total lack of a substantially new product in years. Basically the business model at apple has been to steamroll all their older product lines with something mind-boggling. But they seem to have stalled. iPhone sales are awesome but if you look at the history of all of Apples previous products they basically had their day in the sun and then were eclipsed by the latest and greatest apple product. iMacs, iPods, iPod touches, Nanos, iPhones, iPads, and now the iWatch. I think that the iWatch will end up sitting alongside the Apple TV, not eclipsing anything.