Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

← Back to Stories (view on slashdot.org)

Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

Posted by samzenpus on Wednesday September 24, 2014 @10:27AM from the heads-up dept.

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

24 of 93 comments (clear)

Min score:

Reason:

Sort:

celebgate by Anonymous Coward · 2014-09-24 10:34 · Score: 3, Informative

apple really screwed the pooch with celebgate. protecting against brute force attacks is like security 101
1. Re:celebgate by Anonymous Coward · 2014-09-24 10:49 · Score: 3, Interesting
  
  Don't forget their newest phones that bend. Oh and that great update that removes all phone functionality.
2. Re:celebgate by Fwipp · 2014-09-24 12:32 · Score: 3, Insightful
  
  Yeah, those stupid celebrities. Why, I'll bet they keep their money in the bank, protected only by a PIN or online password! And park their cars *outside* some times, where anyone passing by could steal it. Heck, even their homes and loved ones are protected by little more than a simple series of alarm/gate codes. They're *definitely* primarily responsible for when criminals target them for deliberate harm.
  P.S: 's/where/were/g'
3. Re:celebgate by Revek · 2014-09-24 12:41 · Score: 3, Funny
  
  I know not of this celebgate. Perhaps I know it by a different name?
4. Re:celebgate by Lunix+Nutcase · 2014-09-24 12:55 · Score: 3, Informative
  
  The Fappening.
5. Re:celebgate by Anonymous Coward · 2014-09-24 13:20 · Score: 5, Insightful
  
  Are you an iDiot or an iFan?
  My bank allows only five mistakes before locking my account or swallowing my card. I have insurance for my car. If someone steals it (and it happened to me once), it's just a minor annoyance. As for my house, even if it's only a lock and an alarm, the moment the alarm goes off, I'll first get a call from ADT, then the police will come to check it out if I don't answer (most alarm companies here pay the local police to treat their call as a priority call).
  As the OP said, protecting against brute force attack is basic security. This is another major screw up from Apple.
Re:He was holding it wrong by Anonymous Coward · 2014-09-24 10:39 · Score: 4, Funny

No, he was entering passwords wrong. You're only supposed to enter one password not 20,000. The latter is not part of crApple's UX design.
Re:He was holding it wrong by turkeydance · 2014-09-24 10:43 · Score: 3, Funny

i'm busted. my password was 20000.
Exploited in real life? by mveloso · 2014-09-24 10:43 · Score: 3, Interesting

Has anyone actually shown that this was exploited by anyone?
1. Re:Exploited in real life? by ruir · 2014-09-24 11:01 · Score: 4, Informative
  
  Apple swears the iCloud fiasco was due to a long running phishing campaign and not the iCloud bug. Maybe it is true, I do remember last year receiving weeks in a row in my gmail account phishing stating my "Apple account was to be cancelled, and I need to...". The emails appeared to really to be the real thing except for the headers. My own family called me to ask if such emails where legit; so I would not be surprised non-technical people and not that smart people have fallen for such schemes. This, coupled to the fact there is no need to access iCloud once you have got the password...you dont even need special software or "law enforcement" software, you just go to icloud.com, and watch the iCloud photo stream. Which comes activated by default with every iPhone, and is a pain in the ass, because once you are in whatever kind of wifi after taking photos, it starts to synchronise. In many parts of the world in holidays with limited wifi it will kill your ability to use the wifi until all the photos are in sync. And about deleted photos appearing, I bet many deleted them locally in the iPhone, but forget to delete them in iCloud. So no hi tech there, just people being dumb people, as usual.
2. Re:Exploited in real life? by AmiMoJo · 2014-09-24 15:47 · Score: 3, Informative
  
  There are forum posts detailing how it was done and offering to do it if people can supply email addresses. It worked by brute forcing passwords, which for celebs isn't hard because you can find the name of their boyfriend or pet with Google. Then software from Elcomsoft was used to download the data from icloud, including deleted images that were in old backups etc.
  Expect it all to be spelled out in detail in the inevitable lawsuits. It will be interesting to see what the dignity of a celebrity is worth.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
ONE MORE THING... by Anonymous Coward · 2014-09-24 11:09 · Score: 4, Interesting

I live in the U.S. When I go to Check Order Status in my Apple on-line account (store.apple.com), I find hundreds of orders, none of which are mine, coming from all over Western Europe, dating back to July of this year. I see the items ordered, order numbers, mailing and shipping addresses and e-mail information for them all. I can track shipments, but I can't cancel orders.
I can tell you the iPhone 5s is still being order in significant quantities, but the iPhone 6 and 6 Plus orders are vastly greater and roughly equal in number, particularly for bulk orders.
I called Apple about this problem immediately, when I first found out about it, after having received a suspicious e-mail from Apple inquiring about my on-line store experience written in French. After calling two more times and seemingly wasting all of those hours talking with Apple representatives, nothing has changed. More orders just keep showing up in my on-line account. I changed my password right away and already had 2-factor authentication in place. No change. The last Apple rep said they would call me back the next day but never did. There seem to be many layers of escalation and every time I called, the time difference between the U.S. and Europe was claimed to be an impediment. The Apple reps could never see the order information either--I always had to read them examples of order numbers over the phone. A brain-dead support system.
1. Re:ONE MORE THING... by Anonymous Coward · 2014-09-24 11:11 · Score: 2, Funny
  
  No worries. You were just using the web page wrong.
2. Re:ONE MORE THING... by sexconker · 2014-09-24 11:47 · Score: 3, Informative
  
  Create an anonymous Twitter account and start tweeting details and mentioning @Apple . Partially redact them, if you want.
  The only way to get attention from a major corporation is to make a big public stink.
Not Brute Force by abhi_beckert · 2014-09-24 11:17 · Score: 3, Interesting

"Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account."
20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.
I find it hard to believe anyone was actually vulnerable to this.
1. Re:Not Brute Force by Anonymous Coward · 2014-09-24 11:39 · Score: 4, Insightful
  
  I'd say 20,000 attempts is plenty. There have been enough leaks of real passwords from all over the web to compile an extremely accurate list of 20k of the most used passwords. Unless you are computer literate and security concious enough to use a unique, randomly generated password for everything there is a fair chance you've used one of the 20k passwords for something.
2. Re:Not Brute Force by aardvarkjoe · 2014-09-24 11:48 · Score: 5, Informative
  
  20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.
  I find it hard to believe anyone was actually vulnerable to this.
  While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.
  
  --
  
  How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
3. Re:Not Brute Force by MatthiasF · 2014-09-24 12:01 · Score: 4, Insightful
  
  Or just grab a list from one of those studies of stolen passwords and sort by most used password.
  
  Pretty sure one of the top 20,000 passwords on those lists will get you into 80% of the accounts out there.
4. Re:Not Brute Force by ljw1004 · 2014-09-24 12:59 · Score: 3, Funny
  
  20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.
  I find it hard to believe anyone was actually vulnerable to this.
  20,000 not brute force?!! Would you call it "subtle and refined"?
5. Re:Not Brute Force by Anonymous Coward · 2014-09-24 13:03 · Score: 3, Interesting
  
  http://uwnthesis.wordpress.com/2012/08/30/top-10000-passwords-are-used-by-98-8-of-all-users/
  The top 10k passwords are used by 98.8% of all users. 20k would get them plenty!
6. Re:Not Brute Force by Eythian · 2014-09-24 13:46 · Score: 5, Insightful
  
  Probably he stopped there. It's enough to be fairly sure there's no brute force protection in place.
Monorail by sexconker · 2014-09-24 11:45 · Score: 5, Funny

Well, sir, there's nothing on Earth
Like a genuine, bona-fide
Electrified, six-inch iPhone 6 Plus.
What'd I say?
iPhone 6 Plus!
What's it called?
iPhone 6 Plus!
That's right! iPhone 6 Plus!
iPhone 6 Plus.
iPhone 6 Plus.
iPhone 6 Plus.
I saw those leaks they had me wowed.
We've made some changes to iCloud.
Is there a chance the phone could bend?
Not on your life, my hipster friend.
What about us brain-dead slobs?
You'll just worship Mr. Jobs.
What's the point of that huge bezel?
Just more space for fans to revel.
16 gigs is too little space.
Pay the upcharge to keep pace.
I swear this phone's your only choice,
Throw up your hands and raise your voice.
iPhone 6 Plus!
What's it called?
iPhone 6 Plus!
Once again.
iPhone 6 Plus!
But iOS is still shitty and broken.
Sorry, Slashdot, the mob has spoken.
iPhone 6 Plus!
iPhone 6 Plus!
iPhone 6 Plus!
iPhone 6 Plus!
iPho, d'oh!
I stumbled on this one a while ago by EmperorOfCanada · 2014-09-24 17:04 · Score: 2, Interesting

I was helping someone with their forgotten iCloud password and we tried a few dozen variations. My incorrect guess was that instead of telling me to go to hell that it was playing some odd game such as letting me try passwords by ignoring me to waste my time.

It simply never occurred to me that this was a gianormous security hole staring me in the face. What exactly is happening at Apple, there is Bentgazi, iOS 8 killing iPhone 4s and iPhone 5, iOS 8.0.1 killing iPhone 6, apparently a last minute screen switch away from sapphire, plus many subtle other things such as it doesn't seem like they are using liquid steel in their cases, and the whole U2 spam crap, which it turns out they wrote a massive cheque to U2 for. Then there is the collective yawn over the iWatch. But worst of all is the total lack of a substantially new product in years. Basically the business model at apple has been to steamroll all their older product lines with something mind-boggling. But they seem to have stalled. iPhone sales are awesome but if you look at the history of all of Apples previous products they basically had their day in the sun and then were eclipsed by the latest and greatest apple product. iMacs, iPods, iPod touches, Nanos, iPhones, iPads, and now the iWatch. I think that the iWatch will end up sitting alongside the Apple TV, not eclipsing anything.
1. Re:I stumbled on this one a while ago by shrik3 · 2014-09-24 19:01 · Score: 2
  
  Ok, I'll bite. What, to you, counts as a "substantially new product" from - say - Samsung, HTC, Nokia or any other mobile manufacturer?
  Please exclude any devices that have only bigger X and faster Y and more Z, since that's not substantially new.