Aw, don't be iDict! Apple kills brute force iCloud cracker
Nefarious activities? I did it 'cos I could – hacker
Apple has applied a security update that breaks a recently distributed iCloud hacking tool that took advantage of the flaw that led to the mass hack of nudie pics belonging to celebs including Jennifer Lawrence and Kate Upton.
iDict was purportedly created to force Cupertino into belatedly fixing a wide open security flaw most believed it had fixed in the wake of the iCloud celebrity hack last year.
The iDict tool had enabled dictionary attacks against Apple's iCloud user base. But Cupertino soon applied controls that blunted attacks based on the tool by locking up targeted accounts after a large number of failed login attempts.
The utility, which was published on Github on New Year's Day, was thwarted by better security controls by Apple applied on 2 January, as the developer of the neutered brute force hacking tool acknowledged.
The utility posed as a legitimate iPhone device attempting to log into iCloud.com. Tighter controls applied last year meant accounts ought to have been locked after five failed attempts, but hacker pr0x13 discovered a trick to fool Apple's system.
"This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities," pr0x13 explained, adding: "I publicly disclosed it so Apple will patch it."
Users affected by attacks based on iDict would have been those who did not use two-factor authentication (2FA) and whose email addresses were public.
Jerome Segura, senior security researcher at Malwarebytes, commented: "This new hacking tool to guess iCloud users' passwords reminds us of a similar attack targeted at celebrity accounts a few months back. iDict, as this tool is called, is made of a few php files and a large text file containing hundreds of thousands of passwords."
Segura faulted Apple for its failure to put up sufficiently robust roadblocks guarding against brute-force attacks prior to the appearance of the hacking utility.
"The hacker loads the scripts on a local web server and is able to perform unlimited login attempts using the list of passwords," he explained. "This technique, known as a brute force dictionary attack, can only work if the service it is trying to abuse does not detect and block repeated and failed login attempts.
"Apple, just like many other companies, does typically detect this type of abuse and locks down the particular account being probed. What seems to happen here, [with] the 'exploit', is a failure to notice the brute force attack and therefore [a] failure to prevent it." ®