{"id":35296,"date":"2015-01-09T09:34:11","date_gmt":"2015-01-09T17:34:11","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=35296"},"modified":"2015-01-09T09:34:11","modified_gmt":"2015-01-09T17:34:11","slug":"apple-patches-brute-force-password-cracking-security-hole-in-icloud","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/apple-patches-brute-force-password-cracking-security-hole-in-icloud\/","title":{"rendered":"Apple Patches Brute Force Password-Cracking Security Hole in iCloud"},"content":{"rendered":"

\"Dictionary\"
\nOn New Year’s Day, when most of us were recovering from festivities of the night before, Apple was dealing with a whole different headache.<\/p>\n

A hacker group calling themselves Pr0x13 released a tool designed to exploit a hole in Apple security, and gain access to iCloud accounts through sheer brute force.<\/p>\n

iDict was described as a “100% working iCloud Apple ID Dictionary attack that bypasses account lockout restrictions and secondary authentication on any account.”<\/p>\n

Posing as a legitimate iPhone device, the iDict software would make multiple attempts to break into iCloud accounts, working through a long list of commonly used passwords. That’s the kind of attack that you would hope Apple would normally prevent\u2014noticing that the wrong password has been entered five times, and then blocking further attempts.<\/p>\n

But iDict apparently leapt around that security hurdle\u2014and it also, according to its author, could even bypass security questions (“What was the first car you owned?”) and two-factor authentication.<\/p>\n

Releasing his or her code on GitHub, Pr0x13 claimed that the security hole exploited by iDict was “painfully obvious” and that it was “only a matter of time before it was privately used for malicious or nefarious purposes.” The hacker went on to explain that the iDict code was being publicly disclosed “so Apple will patch it.”<\/p>\n

\"iDict\"<\/p>\n

What a way to start 2015… as if 2014 hadn’t raised enough concerns about cloud security with numerous leaks of nude celebrity photos<\/a>.<\/p>\n

Fortunately, it appears that Apple responded quickly to the iDict threat and by 2 January, the security hole had apparently been fixed, as Pr0x13 acknowledged in a tweet.<\/p>\n

\n

iDict is patched, Discontinue it's use if you don't want to lock your account #TheMoreYouKnow<\/a><\/p>\n

— ! \u2605 (@pr0x13) January 2, 2015<\/a><\/p><\/blockquote>\n