This may be worth keeping an eye on if you’re concerned about iCloud security.
Per 9to5Mac, a new tool submitted to developer web site GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.
The source code for the tool has been released onto GitHub. Upon inspection, the tool is somewhat crude in its complexity. It simply tries every possible word in its 500-long word-list as the password for a given iCloud account email. This means whilst it will succeed “100%” at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password.
Any password that is not simply a word from the dictionary listed on this page is safe from this approach. Still, brute-force vulnerabilities are very important as many users do use plain dictionary words as their passwords. More determined hackers could also use the exploit to brute-force much more complex passwords, so the threat is very real. For instance, hackers with more resources could use a dramatically larger word list than the one posted on GitHub.
Apple should be able to patch the hole soon, however. It is not a complicated hack — it appears to rely on pretending to be an iPhone device. For whatever reason, Apple’s servers allow these type of requests infinitely without locking password attempts after several requests.
The Photos app for iCloud.com has been pulled, although it’s unclear if there is any connection. Infamously, a host of celebrities had their iCloud account informatoin stolen in August 2014, causing thousands of nude and revealing photos to be posted online.
Stay tuned for additional details as they become available.
One reply on “iDict brute-force security tool for hacking iCloud account passwords becomes available on GitHub”
RT @JasonOGrady: iDict brute-force security tool for hacking iCloud account passwords becomes available on GitHub http://t.co/vMC8wJxPbs